Fix XSS in Alert, Carousel, Collapse, Dropdown and Modal

author: Johann-S <johann.servoire@gmail.com> 2017-08-26 12:43:06 +0300
committer: Johann-S <johann.servoire@gmail.com> 2017-09-14 11:07:51 +0300
commit: 29f9237f735b90dbc89e003db0c62dec2db0b308 (patch)
tree: ace6eca412f29d2c18c4391b45583507afdcf606 /js
parent: 4731b239b1d2969b3e0262fb3e85ff8ce981e058 (diff)
7 files changed, 23 insertions, 7 deletions
diff --git a/js/alert.js b/js/alert.js
index 058d82527c..2052d1ad1a 100644
--- a/js/alert.js
+++ b/js/alert.js
@@ -31,7 +31,8 @@
       selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
     }
 
-    var $parent = $(selector === '#' ? [] : selector)
+    selector    = selector === '#' ? [] : selector
+    var $parent = $(document).find(selector)
 
     if (e) e.preventDefault()
 
diff --git a/js/carousel.js b/js/carousel.js
index 3f642f35bf..ea9486f49a 100644
--- a/js/carousel.js
+++ b/js/carousel.js
@@ -206,10 +206,17 @@
   // =================
 
   var clickHandler = function (e) {
-    var href
     var $this   = $(this)
-    var $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+    var href    = $this.attr('href')
+    if (href) {
+      href = href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
+    }
+
+    var target  = $this.attr('data-target') || href
+    var $target = $(document).find(target)
+
     if (!$target.hasClass('carousel')) return
+
     var options = $.extend({}, $target.data(), $this.data())
     var slideIndex = $this.attr('data-slide-to')
     if (slideIndex) options.interval = false
diff --git a/js/collapse.js b/js/collapse.js
index 08862a50c4..fcf8f3cbab 100644
--- a/js/collapse.js
+++ b/js/collapse.js
@@ -160,7 +160,7 @@
     var target = $trigger.attr('data-target')
       || (href = $trigger.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
 
-    return $(target)
+    return $(document).find(target)
   }
 
 
diff --git a/js/dropdown.js b/js/dropdown.js
index 75fa55ea86..c193f11d38 100644
--- a/js/dropdown.js
+++ b/js/dropdown.js
@@ -29,7 +29,7 @@
       selector = selector && /#[A-Za-z]/.test(selector) && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
     }
 
-    var $parent = selector && $(selector)
+    var $parent = selector && $(document).find(selector)
 
     return $parent && $parent.length ? $parent : $this.parent()
   }
diff --git a/js/modal.js b/js/modal.js
index f0ef87b94a..329be05382 100644
--- a/js/modal.js
+++ b/js/modal.js
@@ -322,7 +322,10 @@
   $(document).on('click.bs.modal.data-api', '[data-toggle="modal"]', function (e) {
     var $this   = $(this)
     var href    = $this.attr('href')
-    var $target = $($this.attr('data-target') || (href && href.replace(/.*(?=#[^\s]+$)/, ''))) // strip for ie7
+    var target  = $this.attr('data-target') ||
+      (href && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+
+    var $target = $(document).find(target)
     var option  = $target.data('bs.modal') ? 'toggle' : $.extend({ remote: !/#/.test(href) && href }, $target.data(), $this.data())
 
     if ($this.is('a')) e.preventDefault()
diff --git a/js/tests/visual/collapse.html b/js/tests/visual/collapse.html
index 4fab1ff874..bc1b7fe16e 100644
--- a/js/tests/visual/collapse.html
+++ b/js/tests/visual/collapse.html
@@ -66,7 +66,9 @@
       </div>
     </div>
   </div>
-
+  <button class="btn" data-toggle="collapse" data-target="<img src=x onerror=alert(0)>">
+    Collapse with an XSS
+  </button>
 </div>
 
 <!-- JavaScript Includes -->
diff --git a/js/tests/visual/modal.html b/js/tests/visual/modal.html
index 6368733c16..ac2bdc448d 100644
--- a/js/tests/visual/modal.html
+++ b/js/tests/visual/modal.html
@@ -162,6 +162,9 @@
     Tall body content to force the page to have a scrollbar.
   </div>
 
+  <button class="btn btn-primary btn-lg" data-toggle="modal" data-target="&#x3C;div class=&#x22;modal fade the-bad&#x22; tabindex=&#x22;-1&#x22; role=&#x22;dialog&#x22;&#x3E;&#x3C;div class=&#x22;modal-dialog&#x22; role=&#x22;document&#x22;&#x3E;&#x3C;div class=&#x22;modal-content&#x22;&#x3E;&#x3C;div class=&#x22;modal-header&#x22;&#x3E;&#x3C;button type=&#x22;button&#x22; class=&#x22;close&#x22; data-dismiss=&#x22;modal&#x22; aria-label=&#x22;Close&#x22;&#x3E;&#x3C;span aria-hidden=&#x22;true&#x22;&#x3E;&#x26;times;&#x3C;/span&#x3E;&#x3C;/button&#x3E;&#x3C;h4 class=&#x22;modal-title&#x22;&#x3E;The Bad Modal&#x3C;/h4&#x3E;&#x3C;/div&#x3E;&#x3C;div class=&#x22;modal-body&#x22;&#x3E;This modal&#x27;s HTTML source code is declared inline, inside the data-target attribute of it&#x27;s show-button&#x3C;/div&#x3E;&#x3C;/div&#x3E;&#x3C;/div&#x3E;&#x3C;/div&#x3E;">
+    Launch XSS modal
+  </button>
 </div>
 
 <!-- JavaScript Includes -->
author	Johann-S <johann.servoire@gmail.com>	2017-08-26 12:43:06 +0300
committer	Johann-S <johann.servoire@gmail.com>	2017-09-14 11:07:51 +0300
commit	29f9237f735b90dbc89e003db0c62dec2db0b308 (patch)
tree	ace6eca412f29d2c18c4391b45583507afdcf606 /js
parent	4731b239b1d2969b3e0262fb3e85ff8ce981e058 (diff)