ElliotNB
commented
6 years ago This seems like a very low risk issue. If I'm understanding correctly, in order to exploit this vulnerability, you would have to have control of the ID attribute. Having control of the ID attribute implies either:
-
You have control of the front-end source itself.
-
The programmer built their jQuery Mobile widget such that the ID attribute is set using dynamic content from an external source.
If #1 is true, then XSS is a moot point because you already have control of the source.
If #2 is true, then the solution is to simply stop dynamically injecting external content into ID attributes (probably shouldn't have been done in the first place) or perform proper input validation on that external content.
TLDR: It's not a problem with jQuery Mobile -- it's only a problem if jQuery Mobile is used improperly.
HIRANO-Satoshi
Hi,
jQuery Mobile was pointed out in the following reports that it had an XSS issue. Have it been fixed? or is it no problem?
https://www.blackhat.com/docs/us-17/thursday/us-17-Lekies-Dont-Trust-The-DOM-Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf
https://www.owasp.org/images/3/32/OWASP_BeNeLux-Day_2017_Bypassing_XSS_mitigations_via_script_gadgets_Sebastian_Lekies.pdf
jQuery Mobile also has an HTML injection point, where the value of the "ID" attribute is dynamically put inside an HTML comment. One can achieve arbitrary code execution by simply closing the comment, and leave jQuery manually execute the script. Example: jQuery Mobile
Steps to reproduce ?? Expected outcome ?? Actual outcome ??