SECURITY UPDATE: Fixed cross-site scripting issue in redirect result …

…page. Although setting HTML element content via innerHTML ignores script tags, it is possible to run arbitrary script code by using the onerror handler of img tags: result.html?<img src="foo.png" onerror="alert(document.cookie)"/> Setting the body content via textContent/innerText fixes this security hole. Thanks to Diederik van der Boor for the report and proof-of-concept.
blueimp · Aug 9, 2012 · 4175032 · 4175032 · vdboor · Aug 9, 2012
1 parent fe29267
commit 4175032
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/cors/result.html b/cors/result.html
@@ -1,7 +1,7 @@
 <!DOCTYPE HTML>
 <!--
 /*
- * jQuery Iframe Transport Plugin Redirect Page 2.0
+ * jQuery Iframe Transport Plugin Redirect Page 2.0.1
  * https://github.com/blueimp/jQuery-File-Upload
  *
  * Copyright 2010, Sebastian Tschan
@@ -16,5 +16,9 @@
 <meta charset="utf-8">
 <title>jQuery Iframe Transport Plugin Redirect Page</title>
 </head>
-<body><script>document.body.innerHTML=decodeURIComponent(window.location.search.slice(1));</script></body>
-</html>
+<body>
+<script>
+document.body.innerText=document.body.textContent=decodeURIComponent(window.location.search.slice(1));
+</script>
+</body>
+</html>