Fixed HTML Injection

[mufeedvh]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-jquery-confirm

⚙️ Description *

The project jquery-confirm adds classes to HTML elements without any validation causing an HTML Injection.

💻 Technical Description *

The code dynamically creates an HTML element for the setIcon and closeIconClass actions and adds classes directly to the elements making it vulnerable to an HTML Injection Vulnerability.

The implementation should not be like this and sanitizing/escaping the input class is also not the way as there is a dedicated function in JQuery to do just what we want == addClass().

This is also suggested by the reporter of this vulnerability: craftpip#508 (comment).

🐛 Proof of Concept (PoC) *

<html>
<head>
   <title>jquery-confirm HTML Injection PoC</title>
   <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
   <script src="js/jquery-confirm.js"></script>
   <script>
      $.confirm().setIcon('"><img src onerror="alert(1337)"><"')
   </script>
</head>
<body>
    ...
</body>
</html>

🔥 Proof of Fix (PoF) *

As suggested by the reporter, I implemented the JQuery dedicated function addClass() to add class to the particular dynamically created element completely preventing any bypasses possible.

👍 User Acceptance Testing (UAT)

Just added a JQuery function on a JQuery project. 😉

[huntr-helper]

Congratulations mufeedvh - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section. Your bounty is on its way - keep hunting!