Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

[Security] Prevent XSS attack in captions #378

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

MrPetovan
Copy link

@MrPetovan MrPetovan commented Feb 5, 2023

We're using Justified Gallery over at Friendica and we've been reported a security vulnerability related to this Javascript library. Image captions, even correctly escaped in the source page HTML, end up being interpreted as literal HTML in the Justified Gallery output.

This is because jQuery $('<div>' + caption + '</div>') treats caption as literal HTML. However, this value comes from HTML attributes that shouldn't contain literal HTML themselves.

The fix is simple and ensures jQuery uses the .createTextNode() DOM method internally, which escapes literal HTML in the output HTML tag.

I have checked for any other place the replaced structure would make sense.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant