Permalink
Show file tree
Hide file tree
8 comments
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Merge pull request #474 from dmethvin/fix-9521-xss-hash
Fixes #9521. Prioritize #id over <tag> to avoid XSS via location.hash.
- Loading branch information
Showing
2 changed files
with
20 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
db9e023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi dmethvin,
quickExpr = /^(?:\s*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/
is more better.
var user_input = "<img>" $("a[class=" + user_input + "]") // create img element
see http://bugs.jquery.com/ticket/9521#comment:3
db9e023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed but it is also more likely to cause a regression. For now I would like to stay with this patch, which only addresses the use of
location.hash
in$()
.db9e023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does
quickExpr
check for<tag>
at all ?Since a while now,
$.fn.init
checks something else, before it looks forquickExpr
. The if statement that checks if.charAt(0)
is<
and the last character>
, and if so, prepare for a HTML-match.Afaik, there is no case were
$()
should accept HTML that doesn't start with<
and ends with>
. So, with thecharAt
-check for HTML in place, can'tquickExpr
be simplified to only match strings that start with a#
, and pass on todocument.getElementById
?I'm probably missing something obvious here..
db9e023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Krinkle, it wouldn't surprise me if this code has gotten out of whack because of progressive changes. Could you open a ticket with your observations and reference this pull request? A patch and some more test cases would be good as well, maybe we can get this into 1.7.
db9e023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
threat is open for a while but "anything" discovered with #1.10.1 ?!
db9e023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure what you're asking about, but sure that this is the wrong place to ask.
db9e023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed
This comment was marked as spam.
Sorry, something went wrong.