Permalink
Show file tree
Hide file tree
8 comments
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Merge pull request #474 from dmethvin/fix-9521-xss-hash
Fixes #9521. Prioritize #id over <tag> to avoid XSS via location.hash.
- Loading branch information
Showing
2 changed files
with
20 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
db9e023There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi dmethvin,
quickExpr = /^(?:\s*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/is more better.
var user_input = "<img>" $("a[class=" + user_input + "]") // create img elementsee http://bugs.jquery.com/ticket/9521#comment:3
db9e023There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed but it is also more likely to cause a regression. For now I would like to stay with this patch, which only addresses the use of
location.hashin$().db9e023There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does
quickExprcheck for<tag>at all ?Since a while now,
$.fn.initchecks something else, before it looks forquickExpr. The if statement that checks if.charAt(0)is<and the last character>, and if so, prepare for a HTML-match.Afaik, there is no case were
$()should accept HTML that doesn't start with<and ends with>. So, with thecharAt-check for HTML in place, can'tquickExprbe simplified to only match strings that start with a#, and pass on todocument.getElementById?I'm probably missing something obvious here..
db9e023There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Krinkle, it wouldn't surprise me if this code has gotten out of whack because of progressive changes. Could you open a ticket with your observations and reference this pull request? A patch and some more test cases would be good as well, maybe we can get this into 1.7.
db9e023There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
threat is open for a while but "anything" discovered with #1.10.1 ?!
db9e023There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure what you're asking about, but sure that this is the wrong place to ask.
db9e023There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed
This comment was marked as spam.
Sorry, something went wrong.