diff options
| author | Scott González <scott.gonzalez@gmail.com> | 2012-11-27 11:21:33 -0500 |
|---|---|---|
| committer | Scott González <scott.gonzalez@gmail.com> | 2012-11-27 11:21:33 -0500 |
| commit | f2854408cce7e4b7fc6bf8676761904af9c96bde (patch) | |
| tree | ff4b9d3cc46b42745eea842052fb415c700fca71 | |
| parent | 5fee6fd5000072ff32f2d65b6451f39af9e0e39e (diff) | |
| download | jquery-ui-f2854408cce7e4b7fc6bf8676761904af9c96bde.tar.gz jquery-ui-f2854408cce7e4b7fc6bf8676761904af9c96bde.zip | |
Tooltip: Escape the title attribute so that it's treated as text and not HTML. Fixes #8861 - Tooltip: XSS vulnerability in default content.
| -rw-r--r-- | demos/autocomplete/combobox.html | 2 | ||||
| -rw-r--r-- | tests/unit/tooltip/tooltip_options.js | 14 | ||||
| -rw-r--r-- | ui/jquery.ui.tooltip.js | 4 |
3 files changed, 18 insertions, 2 deletions
diff --git a/demos/autocomplete/combobox.html b/demos/autocomplete/combobox.html index 8c6f59fc1..6229d47b2 100644 --- a/demos/autocomplete/combobox.html +++ b/demos/autocomplete/combobox.html @@ -61,7 +61,7 @@ // remove invalid value, as it didn't match anything $( element ) .val( "" ) - .attr( "title", $( "<a>" ).text( value ).html() + " didn't match any item" ) + .attr( "title", value + " didn't match any item" ) .tooltip( "open" ); select.val( "" ); setTimeout(function() { diff --git a/tests/unit/tooltip/tooltip_options.js b/tests/unit/tooltip/tooltip_options.js index f9da27fb7..01ac25040 100644 --- a/tests/unit/tooltip/tooltip_options.js +++ b/tests/unit/tooltip/tooltip_options.js @@ -16,6 +16,20 @@ test( "content: default", function() { deepEqual( $( "#" + element.data( "ui-tooltip-id" ) ).text(), "anchortitle" ); }); +test( "content: default; HTML escaping", function() { + expect( 2 ); + var scriptText = "<script>$.ui.tooltip.hacked = true;</script>", + element = $( "#tooltipped1" ); + + $.ui.tooltip.hacked = false; + element.attr( "title", scriptText ) + .tooltip() + .tooltip( "open" ); + equal( $.ui.tooltip.hacked, false, "script did not execute" ); + deepEqual( $( "#" + element.data( "ui-tooltip-id" ) ).text(), scriptText, + "correct tooltip text" ); +}); + test( "content: return string", function() { expect( 1 ); var element = $( "#tooltipped1" ).tooltip({ diff --git a/ui/jquery.ui.tooltip.js b/ui/jquery.ui.tooltip.js index 2ccd61f46..ab8d5173c 100644 --- a/ui/jquery.ui.tooltip.js +++ b/ui/jquery.ui.tooltip.js @@ -46,7 +46,9 @@ $.widget( "ui.tooltip", { version: "@VERSION", options: { content: function() { - return $( this ).attr( "title" ); + var title = $( this ).attr( "title" ); + // Escape title, since we're going from an attribute to raw HTML + return $( "<a>" ).text( title ).html(); }, hide: true, // Disabled elements have inconsistent behavior across browsers (#8661) |