Uikit: xss vulnerability

Created on 10 Oct 2016  路  3Comments  路  Source: uikit/uikit

Open this page and hover the "XSS bug"-button:

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>XSS bug</title>
<script src="../_test.js"></script>
<script src="../../src/js/components/tooltip.js"></script>
</head>
<body>
<button class="uk-button" data-uk-tooltip title="&lt;img src=aa onerror=alert(1);&gt;">XSS bug</button>
</body>
</html>
picture doublex

Most helpful comment

But this means I have to double-quote the title-text.
E.g., this is vulnerable:
<img title="&lt;script&gt;alert(&quot;123&quot;)&lt;script&gt;">
This works:
<img title="&amp;lt;script&amp;gt;alert(&amp;quot;123&amp;quot;)&amp;lt;script&amp;gt;">

picture doublex on 19 Jan 2017
👍2

All 3 comments

The problem is line 84 in uikit/src/js/components/tooltip.js. this.tip should be html-encoded:

$tooltip.html('<div class="uk-tooltip-inner">' + this.tip + '</div>');

or:

$tooltip.html( $('<div class="uk-tooltip-inner">').text(this.tip) );
doublex picture doublex on 11 Oct 2016
👍1

hi,

I see you point, but I think this should be the responsibility of the one who creates the site. He should escape the string if it is needed.

Greets,
Artur

aheinze picture aheinze on 19 Jan 2017
👎1

But this means I have to double-quote the title-text.
E.g., this is vulnerable:
<img title="&lt;script&gt;alert(&quot;123&quot;)&lt;script&gt;">
This works:
<img title="&amp;lt;script&amp;gt;alert(&amp;quot;123&amp;quot;)&amp;lt;script&amp;gt;">

doublex picture doublex on 19 Jan 2017
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

collegeimprovements picture collegeimprovements  路  3Comments
kirlat picture kirlat  路  3Comments
wozzup picture wozzup  路  4Comments
albeaver picture albeaver  路  3Comments
dalenguyen picture dalenguyen  路  3Comments