search

gokuney / jquery-events-calendar

Automatically exported from code.google.com/p/jquery-events-calendar
0 stars 0 forks source link

XSS Vulnerability #23

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
The description is senssible to Cross Site Scripting.

example: put this in the description:
<script>alert(document.cookie)</script>

Fix this:

description = $('<span />').text(description).html();

Original issue reported on code.google.com by yan.uniko.102@gmail.com on 5 Mar 2014 at 3:23

GoogleCodeExporter commented 8 years ago 
eventStringDate = eventDay + "/" + eventMonthToShow + "/" + eventYear;
                                    if (event.url) {
                                        var eventTitle = '<a href="'+event.url+'" target="' + eventLinkTarget + '" class="eventTitle">' + $('<span />').text(event.title).html() + '</a>';
                                    } else {
                                        var eventTitle = '<span class="eventTitle">' + $('<span />').text(event.title).html() + '</span>';
                                    }
                                    events.push('<li id="' + key + '" class="'+event.type+'"><time datetime="'+eventDate+'"><em>' + eventStringDate + '</em><small>'+eventHour+":"+eventMinute+'</small></time>' + eventTitle +'<p class="eventDesc ' + eventDescClass + '">' + $('<span />').text(event.description).html() + '</p></li>');
                                    i++;

Original comment by yan.uniko.102@gmail.com on 5 Mar 2014 at 3:27