Skip to content
This repository

fix xss bug on tooltip initialize #853

wants to merge 1 commit into from

4 participants

Claudio Contin sjankis Iiridayn donmerlin
Claudio Contin

Tooltip doesn't sanitize html when initialized, even though the html passed is already sanitized.
I found a patch from here, but probably a pull request was never done.

Claudio Contin

example of bug (mouse over the image to trigger):

Claudio Contin

guess the possibility to accept raw html could be made optional, but by default I think is too risky for this kind of bugs. Html could be allowed only if user does not have direct control of the input fed to tooltip component


I understand the concern.
I just want to make the point that, as well as fixing the bug where escaped html in title was getting executed,
this fix also removes the ability to deliberately put unescaped html in title.
I think it's user's responsibility to sanitize input, so I'd prefer to see escaped and unescaped html treated differently.
However, there is still next-element mechanism for creating rich tooltips, so it's not that big a deal.

Claudio Contin

Did you see example?
The input is escaped, but the code is still executed


I would be pleased even if only with a configuration option that triggers this patch, even if off by default. I would of course prefer on by default as a security measure, but I don't know what opposition that would face. I was honestly surprised to find a security hole in this library and expected that our site was merely out of date or misconfigured.


Off topic, but is it possible to patch a pull request (eg, to add a setting)? With git I would just checkout the master repo, pull and merge the commit, add another commit, and request a pull from there - does this work in github? I can't seem to figure out how the ui supports it, and I've spent about as much time as I can justify (to my boss) on this.

Claudio Contin

You need to fork the project first, then do your patch, then do a pull request.
That is what I did, but my pull request has never been considered, because it's not a concerne for the owner of the project.


Read all the comments, and just have one short one to add of my own. Because this issue has been reported as a security issue by IBM IT, it makes it difficult for some people (e.g., me) to get permission to use it. So, please, pull the patch into the release, provide whatever options to make people happy, but I would love to see the security issue closed. Here's the link:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 1 unique commit by 1 author.

Aug 28, 2012
Claudio Contin fix xss bug on tooltip initialize 56a5e9b
This page is out of date. Refresh to see the latest.

Showing 1 changed file with 2 additions and 1 deletion. Show diff stats Hide diff stats

  1. +2 1  src/tooltip/tooltip.js
3  src/tooltip/tooltip.js
@@ -132,7 +132,8 @@
132 132 tip,
133 133 timer = 0,
134 134 pretimer = 0,
135   - title = trigger.attr("title"),
  135 + // title = trigger.attr("title"), - XSS BUG
  136 + title = $('<div/>').text(trigger.attr('title')).html(),
136 137 tipAttr = trigger.attr("data-tooltip"),
137 138 effect = effects[conf.effect],
138 139 shown,

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.