New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS in data-target attribute #20184

Closed
lpilorz opened this Issue Jun 27, 2016 · 38 comments

Comments

Projects
None yet
@lpilorz

lpilorz commented Jun 27, 2016

The data-target attribute is vulnerable to Cross-Site Scripting attacks:

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script src="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script>
<button data-toggle="collapse" data-target="<img src=x onerror=alert(0)>">Test</button>

@cvrebert cvrebert added js v3 labels Jun 27, 2016

@lpilorz

This comment has been minimized.

lpilorz commented Jun 28, 2016

I guess the fix for this specific issue could be changing getTargetFromTrigger function:

return $(target)

to:

return $(document.querySelector(target))

but it seems the same problem is present in other places too.

Here is another example:

<a href="<img src=x onerror=alert(0)>" data-dismiss="alert">Test</a>
@XhmikosR

This comment has been minimized.

Member

XhmikosR commented Jun 29, 2016

@cvrebert: how do you think we should address this?

@cvrebert

This comment has been minimized.

Member

cvrebert commented Jun 29, 2016

return $(document.querySelector(target))

I don't think that's a viable option compatibility-wise. Bootstrap 3 supports IE8, and its CSS selector support differs from jQuery's: http://caniuse.com/#feat=queryselector

Based on https://bugs.jquery.com/ticket/11290, I guess we could try something like:

if (/\s*</.test(target)) {
  return $()
}

@dmethvin Sorry to trouble you, but does this sound like a good workaround?

(It's a shame jQuery doesn't have an "only interpret this as a selector, never as HTML" API.)

@dmethvin

This comment has been minimized.

Contributor

dmethvin commented Jun 29, 2016

You could use $(document).find(target) instead, that won't be interpreted as HTML.

How is this cross-site? Where does the HTML come from and how does the attacker control it?

@lpilorz

This comment has been minimized.

lpilorz commented Jun 29, 2016

This was found in an application where data-target was based on user input and only passed through standard HTML entities encoding. There is no reason why data-target should interpret HTML so while not impacting many applications it should be fixed in my opinion.

@cvrebert cvrebert added this to the v3.3.7 milestone Jul 12, 2016

@cvrebert cvrebert modified the milestones: v3.3.7, v3.3.8 Jul 25, 2016

@mdo

This comment has been minimized.

Member

mdo commented Sep 5, 2016

Bootstrap 3 is no longer being officially developed or supported.

All work has moved onto our next major release, v4. As such, this issue or pull request is being closed as a "won't fix." For additional help and support, we recommend utilizing our community resources. Thanks for your understanding, and see you on the other side of v4!

<3,
@mdo and team

@mdo mdo closed this Sep 5, 2016

@mdo mdo modified the milestone: v3.3.8 Sep 6, 2016

@skokkanthi

This comment has been minimized.

skokkanthi commented Jan 17, 2017

Dear @mdo @cvrebert is this issue fixed in V4? Please let me know. If yes, can you please give me the commit related to this.

pvdlg added a commit to pvdlg/bootstrap that referenced this issue Jan 17, 2017

pvdlg added a commit to pvdlg/bootstrap that referenced this issue Jan 27, 2017

Merge branch 'collapse-multiple-target' into current
* collapse-multiple-target:
  Use $(document).find(selector) to avoid case in #20184
  Muti-target support for collapse plugin
  make getTargets to always return a JQuery to avoid calling JQuery on the same element further down
  Add a dropdown test case for #21328
  Simplify targets.length test
  Simplify null check when possible
  Rework getSelectorFromElement to not rely on regex

# Conflicts:
#	js/src/alert.js
#	js/src/dropdown.js
#	js/tests/unit/collapse.js
@meeque

This comment has been minimized.

Contributor

meeque commented Aug 22, 2017

I know this one's closed, but what's the status for v4? I can see that it is still affected by this vulnerability:

https://github.com/twbs/bootstrap/blob/v4-dev/js/src/util.js#L120

I recommend to mitigate it by applying @dmethvin's proposal. (Also see comits on @vanduynslagerp's fork.)

Should I prepare a pull request? Or should I open a new issue for v4?

@XhmikosR XhmikosR reopened this Aug 22, 2017

@Johann-S

This comment has been minimized.

Member

Johann-S commented Aug 22, 2017

Yes you can make a PR @meeque for this issue which is still present 👍

@Johann-S Johann-S added the v4 label Aug 22, 2017

@XhmikosR

This comment has been minimized.

Member

XhmikosR commented Aug 22, 2017

You could make a PR against v3-dev branch too if you want.

@meeque

This comment has been minimized.

Contributor

meeque commented Aug 25, 2017

Let's start off with a test case: http://jsbin.com/qalekeroke/edit?html,output

meeque added a commit to meeque/bootstrap that referenced this issue Aug 25, 2017

jerseyrobot pushed a commit to jersey/jersey that referenced this issue Dec 14, 2017

@rmirre

This comment has been minimized.

rmirre commented Jan 17, 2018

As this is an XSS vulnerability, is there any chance with the commit made on the pull request below actually going into a patched 3.3.7 or 3.3.8?
#23687

This has been found as a 'Serious' vulnerability within the McAfee SECURE scan our company uses. We have applied the fix above to our use of 3.3.7, but as the scan is looking for versions which have known vulnerabilities, it could cause confusion down the road if we ever have an external security audit beyond this.

We plan to move to 4.0 only when out of beta.

Thanks!

@astiob

This comment has been minimized.

astiob commented Jan 19, 2018

For reference, I was in a similar situation, and what I did to satisfy the security audit tool was import the v3.4.0-dev branch as a Git submodule in my project and use its Less and JavaScript sources instead of those from the v3.3.7 release. It contains the fix, and it reports 3.4.0 as the version number, so the tool is happy. (My application was not vulnerable anyway, but I figured it would be easier and more future-proof to do this than to persuade the auditors to disable this test as a false positive.)

@XhmikosR

This comment has been minimized.

Member

XhmikosR commented Jan 19, 2018

@mdo: how about we make one 3.x release for this before we merge the branches?

@ddillard

This comment has been minimized.

ddillard commented Jan 26, 2018

Has anyone started the process of getting a CVE for this issue?

@pbr0ck3r pbr0ck3r referenced this issue Feb 21, 2018

Closed

Update bootstrap dependency in package.json #4601

3 of 6 tasks complete
@bhavlin

This comment has been minimized.

bhavlin commented Feb 24, 2018

Is there a reason why tab.js wasn't included in the 3.x patch?

The following test case shows a vulnerability here:

https://jsbin.com/yosaluw/edit?html,output

@XhmikosR

This comment has been minimized.

Member

XhmikosR commented Feb 24, 2018

@mdo: ping again. See #20184 (comment)

@rithujap

This comment has been minimized.

rithujap commented Mar 11, 2018

Is the vulnerability related to XSS fixed in 3.3.7/

@astiob

This comment has been minimized.

astiob commented Mar 11, 2018

No. For v3, it’s currently only fixed in the v3.4.0-dev branch.

sebasjm pushed a commit to sebasjm/jersey that referenced this issue Mar 11, 2018

Up version of jQuery, Angular & Bootstrap
Fixed vulnerability in Bootstrap 3.3.7 (twbs/bootstrap#20184)

Change-Id: I90370501bfe7714e924fbaec3584a0a1ff7b35af

sebasjm pushed a commit to sebasjm/jersey that referenced this issue Mar 11, 2018

@rithujap

This comment has been minimized.

rithujap commented Mar 12, 2018

Should we download bootstrap v4.0 for XSS vulnerability

@kipphoward

This comment has been minimized.

kipphoward commented Apr 6, 2018

Any chance that v3.4.0 with the fix could be released in the near future? (sorry, I don't know bootstrap release process.)

@cilefen

This comment has been minimized.

cilefen commented May 1, 2018

@kipphoward That is unlikely #20631

@jdleesmiller

This comment has been minimized.

jdleesmiller commented Aug 10, 2018

Discussion of a 3.4 release seems to have moved to #25679 (for anyone else who finds this issue first).

@pedros007

This comment has been minimized.

pedros007 commented Sep 20, 2018

A key update from @mdo yesterday:

The team has spent a lot of time cleaning up that branch and getting it in the right state. Hang tight, should have good news soon.
#25679 (comment)

Hard to follow along as I can't find the v3.4.0-dev branch in GitHub. Maybe it's at v3-dev-browserstack?

@XhmikosR

This comment has been minimized.

Member

XhmikosR commented Sep 20, 2018

@waliurrahman-pki

This comment has been minimized.

waliurrahman-pki commented Sep 21, 2018

Sorry if I am asking a silly question. Is bootstrap v3.3.7 safe and secure to use if "data-target" attribute is unused?

@lpilorz

This comment has been minimized.

lpilorz commented Oct 9, 2018

Apart from data-target also href attribute can be vulnerable (see #20184 (comment))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment