Open emizzz opened 1 year ago
Looks legit to me. (as in legit threat)
Do you mean that this is intended as a feature?
As in the fact it does not escape html is a legitimate security concern. I am not a developer, I simply spotted this and wanted to state that I support that this needs to be fixed.
Magnific Popup uses a parameter called
preloader
, which by default is set totrue
.Using a specifically crafted payload (in src URL) two things happen:
Initially, the
text
variable in theupdateStatus
function is set to “Loading…”Then it takes the value passed to it by the default error handling function (which contains the URL).
mfp.updateStatus('error', imgSt.tError.replace('%url%', item.src) );
The problem here is that the
.html()
function does not escape HTML and could be used to inject code.The vulnerability, if exploitable, can even lead to "stored XSS".