Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS vulnerability (new in v1.2.0) #2132

Closed
philfreo opened this issue Nov 7, 2014 · 5 comments · Fixed by #2254
Closed

XSS vulnerability (new in v1.2.0) #2132

philfreo opened this issue Nov 7, 2014 · 5 comments · Fixed by #2254

Comments

@philfreo
Copy link

philfreo commented Nov 7, 2014

Version 1.2.0 introduces a major XSS vulnerability

Version 1.1.0: no problem - http://jsfiddle.net/hxao6bc5/
Version 1.2.0: problem - http://jsfiddle.net/ptsL5md0/

screenshot 2014-11-07 11 47 40

Not sure of which commit introduces it, but here's the diff
philfreo referenced this issue Nov 7, 2014
@simonexmachina
Change search_text to use option.text rather than option.html
09d757b
@tjschuck
Copy link
Member

tjschuck commented Nov 7, 2014

/cc @pfiller

@obecker
Copy link

obecker commented Nov 27, 2014

I have just encountered the same problem.
A solution to the problem is to replace in SelectParser.prototype.add_option (line 61 of chosen.jquery.js) the line

text: option.text,

with

text: this.escapeExpression(option.text),

@ograycode
Copy link

This is still an issue in v1.3.0, http://jsfiddle.net/wkm51zzm/

@tjschuck
Copy link
Member

tjschuck commented Jan 5, 2015

Looks like this came in with #1638, which was held up for a while pending XSS issues discussed in #1150.

The conclusions of that may have been insufficient. @stof was seemingly the sign-off on both of those, so maybe he has more to say here. /cc @pfiller

@Intrepidd
Copy link

This is a pretty important security issue, is someone working actively on this ?

Intrepidd added a commit to Intrepidd/chosen that referenced this issue Jan 26, 2015
@Intrepidd
Fix XSS on option content harvesthq#2132
dc3e26a 
Patch suggestion by @obecker
@adunkman adunkman mentioned this issue Mar 3, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix code execution vulnerabilities. adunkman/chosen
5 participants
@philfreo @obecker @tjschuck @Intrepidd @ograycode