Skip to content
Permalink
Browse files
Merge pull request #474 from dmethvin/fix-9521-xss-hash
Fixes #9521. Prioritize #id over <tag> to avoid XSS via location.hash.
  • Loading branch information
dmethvin committed Aug 25, 2011
2 parents 84f2908 + 749dbad commit db9e023e62c1ff5d8f21ed9868ab6878da2005e9
Showing 2 changed files with 20 additions and 2 deletions.
@@ -16,8 +16,8 @@ var jQuery = function( selector, context ) {
rootjQuery,

// A simple way to check for HTML strings or ID strings
// (both of which we optimize for)
quickExpr = /^(?:[^<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
// Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,

// Check if a string has a non-whitespace character in it
rnotwhite = /\S/,
@@ -467,6 +467,24 @@ test("isXMLDoc - HTML", function() {
document.body.removeChild( iframe );
});

test("XSS via location.hash", function() {
expect(1);

stop();
jQuery._check9521 = function(x){
ok( x, "script called from #id-like selector with inline handler" );
jQuery("#check9521").remove();
delete jQuery._check9521;
start();
};
try {
// This throws an error because it's processed like an id
jQuery( '#<img id="check9521" src="no-such-.gif" onerror="jQuery._check9521(false)">' ).appendTo("#qunit-fixture");
} catch (err) {
jQuery._check9521(true);
};
});

if ( !isLocal ) {
test("isXMLDoc - XML", function() {
expect(3);

8 comments on commit db9e023

@mala
Copy link

@mala mala commented on db9e023 Aug 26, 2011

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi dmethvin,

quickExpr = /^(?:\s*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/

is more better.

var user_input = "<img>" $("a[class=" + user_input + "]") // create img element

see http://bugs.jquery.com/ticket/9521#comment:3

@dmethvin
Copy link
Member Author

@dmethvin dmethvin commented on db9e023 Aug 26, 2011

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed but it is also more likely to cause a regression. For now I would like to stay with this patch, which only addresses the use of location.hash in $().

@Krinkle
Copy link
Member

@Krinkle Krinkle commented on db9e023 Sep 4, 2011

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does quickExpr check for <tag> at all ?

Since a while now, $.fn.init checks something else, before it looks for quickExpr. The if statement that checks if .charAt(0) is < and the last character >, and if so, prepare for a HTML-match.

Afaik, there is no case were $() should accept HTML that doesn't start with < and ends with >. So, with the charAt-check for HTML in place, can't quickExpr be simplified to only match strings that start with a #, and pass on to document.getElementById ?

I'm probably missing something obvious here..

@dmethvin
Copy link
Member Author

@dmethvin dmethvin commented on db9e023 Sep 7, 2011

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Krinkle, it wouldn't surprise me if this code has gotten out of whack because of progressive changes. Could you open a ticket with your observations and reference this pull request? A patch and some more test cases would be good as well, maybe we can get this into 1.7.

@fr34k8
Copy link

@fr34k8 fr34k8 commented on db9e023 Jan 21, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

threat is open for a while but "anything" discovered with #1.10.1 ?!

@dmethvin
Copy link
Member Author

@dmethvin dmethvin commented on db9e023 Jan 21, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what you're asking about, but sure that this is the wrong place to ask.

@fr34k8
Copy link

@fr34k8 fr34k8 commented on db9e023 Jan 21, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed

@xss-pariah

This comment was marked as spam.

Please sign in to comment.