diff options
| author | don-spyker <40198493+don-spyker@users.noreply.github.com> | 2018-08-13 19:09:18 +0300 |
|---|---|---|
| committer | Johann-S <johann.servoire@gmail.com> | 2018-08-13 19:09:18 +0300 |
| commit | 2a5ba23ce8f041f3548317acc992ed8a736b609d (patch) | |
| tree | ccd259952209d2435661a845e9f2bf6253d13ad4 | |
| parent | 13bf8aeae3db71e28af69782328c22215795c169 (diff) | |
Fix/xss issues on data attributes (#27047)
* fix(collapse): xss CVE-2018-14040
Fixes #26625
* fix(tooltip): xss CVE-2018-14042
Fixes #26628
* fix(tooltip): XSS on data-viewport attribute
Fixes #27044
* fix(affix): XSS on target config
Fixes #27045
| -rw-r--r-- | js/affix.js | 4 | ||||
| -rw-r--r-- | js/collapse.js | 2 | ||||
| -rw-r--r-- | js/tests/unit/affix.js | 15 | ||||
| -rw-r--r-- | js/tests/unit/collapse.js | 10 | ||||
| -rw-r--r-- | js/tests/unit/tooltip.js | 18 | ||||
| -rw-r--r-- | js/tooltip.js | 4 |
6 files changed, 49 insertions, 4 deletions
diff --git a/js/affix.js b/js/affix.js index b86bc4f340..481987a95e 100644 --- a/js/affix.js +++ b/js/affix.js @@ -16,7 +16,9 @@ var Affix = function (element, options) { this.options = $.extend({}, Affix.DEFAULTS, options) - this.$target = $(this.options.target) + var target = this.options.target === Affix.DEFAULTS.target ? $(this.options.target) : $(document).find(this.options.target) + + this.$target = target .on('scroll.bs.affix.data-api', $.proxy(this.checkPosition, this)) .on('click.bs.affix.data-api', $.proxy(this.checkPositionWithEventLoop, this)) diff --git a/js/collapse.js b/js/collapse.js index fcf8f3cbab..5cf64de1c1 100644 --- a/js/collapse.js +++ b/js/collapse.js @@ -137,7 +137,7 @@ } Collapse.prototype.getParent = function () { - return $(this.options.parent) + return $(document).find(this.options.parent) .find('[data-toggle="collapse"][data-parent="' + this.options.parent + '"]') .each($.proxy(function (i, element) { var $element = $(element) diff --git a/js/tests/unit/affix.js b/js/tests/unit/affix.js index 3a6918f866..b2d596e947 100644 --- a/js/tests/unit/affix.js +++ b/js/tests/unit/affix.js @@ -104,4 +104,19 @@ $(function () { }, 250) }, 250) }) + + QUnit.test('should raise exception to avoid xss on target', function (assert) { + assert.expect(1) + assert.throws(function () { + + var templateHTML = '<div id="affixTarget"></div>' + $(templateHTML).appendTo(document.body) + + $('#affixTarget').bootstrapAffix({ + target: '<img src=1 onerror=\'alert(0)\'>' + }) + + }, new Error('Syntax error, unrecognized expression: <img src=1 onerror=\'alert(0)\'>')) + }) + }) diff --git a/js/tests/unit/collapse.js b/js/tests/unit/collapse.js index 0efa65400d..decad25acd 100644 --- a/js/tests/unit/collapse.js +++ b/js/tests/unit/collapse.js @@ -440,4 +440,14 @@ $(function () { .bootstrapCollapse('show') }) + QUnit.test('should raise exception to avoid xss on data-parent', function (assert) { + assert.expect(1) + assert.throws(function () { + $('<a role="button" data-toggle="collapse" data-parent="<img src=1 onerror=\'alert(0)\'>" href="#collapseThree">') + .appendTo('#qunit-fixture') + .bootstrapCollapse('show') + .trigger('click'); + }, new Error('Syntax error, unrecognized expression: <img src=1 onerror=\'alert(0)\'>')) + }) + }) diff --git a/js/tests/unit/tooltip.js b/js/tests/unit/tooltip.js index 27ce6208e7..57c021b61a 100644 --- a/js/tests/unit/tooltip.js +++ b/js/tests/unit/tooltip.js @@ -1322,4 +1322,22 @@ $(function () { }) }) + QUnit.test('should raise exception to avoid xss on data-container', function (assert) { + assert.expect(1) + assert.throws(function () { + $('<button data-toggle="tooltip" data-container="<img src=1 onerror=\'alert(0)\'>" title="Tooltip on right">Tooltip on right</button>') + .appendTo('#qunit-fixture') + .bootstrapTooltip('show') + }, new Error('Syntax error, unrecognized expression: <img src=1 onerror=\'alert(0)\'>')) + }) + + QUnit.test('should raise exception to avoid xss on data-viewport', function (assert) { + assert.expect(1) + assert.throws(function () { + $('<button data-toggle="tooltip" data-viewport="<img src=1 onerror=\'alert(0)\'>" title="Tooltip on right">Tooltip on right</button>') + .appendTo('#qunit-fixture') + .bootstrapTooltip('show') + }, new Error('Syntax error, unrecognized expression: <img src=1 onerror=\'alert(0)\'>')) + }) + }) diff --git a/js/tooltip.js b/js/tooltip.js index 968a97871a..f7b0d00e79 100644 --- a/js/tooltip.js +++ b/js/tooltip.js @@ -51,7 +51,7 @@ this.type = type this.$element = $(element) this.options = this.getOptions(options) - this.$viewport = this.options.viewport && $($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport)) + this.$viewport = this.options.viewport && $(document).find($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport)) this.inState = { click: false, hover: false, focus: false } if (this.$element[0] instanceof document.constructor && !this.options.selector) { @@ -204,7 +204,7 @@ .addClass(placement) .data('bs.' + this.type, this) - this.options.container ? $tip.appendTo(this.options.container) : $tip.insertAfter(this.$element) + this.options.container ? $tip.appendTo($(document).find(this.options.container)) : $tip.insertAfter(this.$element) this.$element.trigger('inserted.bs.' + this.type) var pos = this.getPosition() |