Permalink
Browse files

SECURITY UPDATE: Fixed cross-site scripting issue in redirect result …

…page.

Although setting HTML element content via innerHTML ignores script
tags, it is possible to run arbitrary script code by using the onerror
handler of img tags:

result.html?<img src="foo.png" onerror="alert(document.cookie)"/>

Setting the body content via textContent/innerText fixes this security
hole.

Thanks to Diederik van der Boor for the report and proof-of-concept.
  • Loading branch information...
1 parent fe29267 commit 41750323a464e848856dc4c5c940663498beb74a @blueimp committed Aug 9, 2012
Showing with 7 additions and 3 deletions.
  1. +7 −3 cors/result.html
View
@@ -1,7 +1,7 @@
<!DOCTYPE HTML>
<!--
/*
- * jQuery Iframe Transport Plugin Redirect Page 2.0
+ * jQuery Iframe Transport Plugin Redirect Page 2.0.1
* https://github.com/blueimp/jQuery-File-Upload
*
* Copyright 2010, Sebastian Tschan
@@ -16,5 +16,9 @@
<meta charset="utf-8">
<title>jQuery Iframe Transport Plugin Redirect Page</title>
</head>
-<body><script>document.body.innerHTML=decodeURIComponent(window.location.search.slice(1));</script></body>
-</html>
+<body>
+<script>
+document.body.innerText=document.body.textContent=decodeURIComponent(window.location.search.slice(1));
+</script>
+</body>
+</html>

1 comment on commit 4175032

vdboor commented on 4175032 Aug 9, 2012

I'm very happy you've fixed this so quick, thanks! :)

Please sign in to comment.