Skip to content
Browse files

Fix potential XSS in _ariaSay().

If the "text" version of an AutoComplete result actually contains HTML
characters (e.g. "<b>foo</b>"), it would be inserted into the ARIA live
region as HTML rather than as text. An attacker with the ability to
influence the content of results could leverage this to carry out an
XSS attack.
  • Loading branch information...
1 parent b2ade60 commit dc0ba5855828d856923976b5fb39a2517032c85b @rgrove committed Apr 27, 2012
View
7 src/autocomplete/HISTORY.md
@@ -1,6 +1,13 @@
AutoComplete Change History
===========================
+3.5.1
+-----
+
+* Fixed a potential XSS issue involving the ARIA live region and text results
+ that contain HTML markup.
+
+
3.5.0
-----
View
2 src/autocomplete/js/autocomplete-list.js
@@ -292,7 +292,7 @@ List = Y.Base.create('autocompleteList', Y.Widget, [
**/
_ariaSay: function (stringId, subs) {
var message = this.get('strings.' + stringId);
- this._ariaNode.setContent(subs ? Lang.sub(message, subs) : message);
+ this._ariaNode.set('text', subs ? Lang.sub(message, subs) : message);
},
/**
View
11 src/autocomplete/tests/functional/autocomplete-test.js
@@ -1696,6 +1696,17 @@ listSuite.add(new Y.Test.Case({
Assert.isTrue(this.ac.get('visible'));
this.ac.hide();
Assert.isTrue(this.ac.get('visible'));
+ },
+
+ '_ariaSay() should insert text only, not HTML': function () {
+ this.ac.render();
+ this.ac._set('results', arrayToResults(['<b>foo</b>']));
+
+ var items = this.ac.get('listNode').all('> li.yui3-aclist-item');
+
+ this.ac.selectItem(items.item(0));
+
+ Assert.areSame('&lt;b&gt;foo&lt;/b&gt; selected.', this.ac._ariaNode.getHTML());
}
// Note: selectItem() is already covered by the select event test above. No

0 comments on commit dc0ba58

Please sign in to comment.
Something went wrong with that request. Please try again.