Security Fix for Cross-site Scripting (XSS) - huntr.dev

[huntr-helper]

https://huntr.dev/users/mufeedvh has fixed the Cross-site Scripting (XSS) vulnerability 🔨. mufeedvh has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2
GitHub Issue | #508
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/jquery-confirm/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-jquery-confirm

⚙️ Description *

The project jquery-confirm adds classes to HTML elements without any validation causing an HTML Injection.

💻 Technical Description *

The code dynamically creates an HTML element for the setIcon and closeIconClass actions and adds classes directly to the elements making it vulnerable to an HTML Injection Vulnerability.

The implementation should not be like this and sanitizing/escaping the input class is also not the way as there is a dedicated function in JQuery to do just what we want == addClass().

This is also suggested by the reporter of this vulnerability: #508 (comment).

🐛 Proof of Concept (PoC) *

<html>
<head>
   <title>jquery-confirm HTML Injection PoC</title>
   <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
   <script src="js/jquery-confirm.js"></script>
   <script>
      $.confirm().setIcon('"><img src onerror="alert(1337)"><"')
   </script>
</head>
<body>
    ...
</body>
</html>

🔥 Proof of Fix (PoF) *

As suggested by the reporter, I implemented the JQuery dedicated function addClass() to add class to the particular dynamically created element completely preventing any bypasses possible.

👍 User Acceptance Testing (UAT)

Just added a JQuery function on a JQuery project. 😉

[JamieSlome]

@craftpip - any updates on this?

Cheers! 🍰

[kms0219kms]

@craftpip