search

paramquery / select

jQuery select plugin
GNU General Public License v3.0
25 stars 21 forks source link

XSS vulnerability #12

Open pawelkrupinski opened 9 years ago

pawelkrupinski commented 9 years ago

Hi. Our pentesters discovered a Cross Site Scripting vulnerability that I was able to trace back to pqselect.

If you set one of the option's names in multiselect to something like that:

somevalue%27%22%3E%3C%2Ftextarea%3E%3Ch1+onclick%3Dalert%28document.domain%29%3EXSS1

unescaped version:

somevalue'"></textarea><h1 onclick=alert(document.domain)>XSS1

PQSelect will generate the unescaped version that can be executed. That is because it uses innerText instead of innerHtml (.text() vs .html() in jquery).

I'll be submitting a pull request.

pawelkrupinski commented 9 years ago

And here it is. I had some trouble with whitespaces.

paramquery commented 9 years ago

Thank you Pawel. I would look into it.