Skip to content
Permalink
Browse files

Tooltip: Escape the title attribute so that it's treated as text and …

…not HTML. Fixes #8861 - Tooltip: XSS vulnerability in default content.
  • Loading branch information...
scottgonzalez committed Nov 27, 2012
1 parent 5fee6fd commit f2854408cce7e4b7fc6bf8676761904af9c96bde
Showing with 18 additions and 2 deletions.
  1. +1 −1 demos/autocomplete/combobox.html
  2. +14 −0 tests/unit/tooltip/tooltip_options.js
  3. +3 −1 ui/jquery.ui.tooltip.js
@@ -61,7 +61,7 @@
// remove invalid value, as it didn't match anything
$( element )
.val( "" )
.attr( "title", $( "<a>" ).text( value ).html() + " didn't match any item" )
.attr( "title", value + " didn't match any item" )
.tooltip( "open" );
select.val( "" );
setTimeout(function() {
@@ -16,6 +16,20 @@ test( "content: default", function() {
deepEqual( $( "#" + element.data( "ui-tooltip-id" ) ).text(), "anchortitle" );
});

test( "content: default; HTML escaping", function() {
expect( 2 );
var scriptText = "<script>$.ui.tooltip.hacked = true;</script>",
element = $( "#tooltipped1" );

$.ui.tooltip.hacked = false;
element.attr( "title", scriptText )
.tooltip()
.tooltip( "open" );
equal( $.ui.tooltip.hacked, false, "script did not execute" );
deepEqual( $( "#" + element.data( "ui-tooltip-id" ) ).text(), scriptText,
"correct tooltip text" );
});

test( "content: return string", function() {
expect( 1 );
var element = $( "#tooltipped1" ).tooltip({
@@ -46,7 +46,9 @@ $.widget( "ui.tooltip", {
version: "@VERSION",
options: {
content: function() {
return $( this ).attr( "title" );
var title = $( this ).attr( "title" );
// Escape title, since we're going from an attribute to raw HTML
return $( "<a>" ).text( title ).html();
},
hide: true,
// Disabled elements have inconsistent behavior across browsers (#8661)

0 comments on commit f285440

Please sign in to comment.
You can’t perform that action at this time.