search

dimsemenov / Magnific-Popup

Light and responsive lightbox script with focus on performance.
http://dimsemenov.com/plugins/magnific-popup/
MIT License
11.38k stars 3.5k forks source link

XSS vulnerability #1189

Open emizzz opened 1 year ago

emizzz commented 1 year ago

Magnific Popup uses a parameter called preloader, which by default is set to true.

Using a specifically crafted payload (in src URL) two things happen:

Initially, the text variable in the updateStatus function is set to “Loading…”

magnific_popup_vulnerability_debug1

Then it takes the value passed to it by the default error handling function (which contains the URL).

mfp.updateStatus('error', imgSt.tError.replace('%url%', item.src) );

magnific_popup_vulnerability_debug2

The problem here is that the .html() function does not escape HTML and could be used to inject code.

The vulnerability, if exploitable, can even lead to "stored XSS".

BloodyIron commented 1 year ago

Looks legit to me. (as in legit threat)

emizzz commented 1 year ago

Do you mean that this is intended as a feature?

BloodyIron commented 1 year ago

As in the fact it does not escape html is a legitimate security concern. I am not a developer, I simply spotted this and wanted to state that I support that this needs to be fixed.