jQuery html() Cross Site Scripting

2020.04.28
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# jquery-xss-in-html jQuery &lt; 3.5 Cross-Site Scripting (XSS) in html() Timmy Willison recently released a new version of jQuery. jQuery 3.5 fixes a cross-site scripting (XSS) vulnerability found in the jQuery’s HTML parser. The Snyk open source security platform estimates that 84% of all websites may be impacted by jQuery XSS vulnerabilities. Masato Kinugawa found a cross-site scripting (XSS) vulnerability in the htmlPrefilter method of jQuery, and published an example showing a popup alert window in the form of a challenge. (https://xss.pwnfunction.com/challenges/ww3/) Below is a CodeQL query I wrote that can find user controlled values passed to html() which can be abused to perform Cross-Site Scripting. Please check your projects, submit responsible disclosures to projects that might be affected. ``` /** * @name Taint-tracking to 'html' calls (with path visualization) * @description Tracks user-controlled values into 'html' calls (vulnerable to XSS in jQuery < 3.5) * and generates a visualizable path from the source to the sink. * @kind path-problem * @tags security * @id js/html-taint-path */ import javascript import DataFlow import DataFlow::PathGraph import DOM import semmle.javascript.dependencies.FrameworkLibraries class HtmlTaint extends TaintTracking::Configuration { HtmlTaint() { this = "HtmlTaint" } override predicate isSource(Node node) { node = DOM::locationSource() } override predicate isSink(Node node) { node =jquery().getACall().getAMethodCall("html").getArgument(0) } } from HtmlTaint cfg, PathNode source, PathNode sink, FrameworkLibraryInstance framework, string version where cfg.hasFlowPath(source, sink) and framework.info("jquery", version) select sink.getNode(), source, sink, "Html with user-controlled input from $@. When using jquery version $@.", source.getNode(), "here", framework, version ```


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top