Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Fix code scanning alert - Unsafe jQuery plugin #18

Closed
1 task
novalagung opened this issue Sep 9, 2022 · 2 comments · Fixed by #19
Closed
1 task

Fix code scanning alert - Unsafe jQuery plugin #18

novalagung opened this issue Sep 9, 2022 · 2 comments · Fixed by #19

Comments

@novalagung
Copy link
Owner

novalagung commented Sep 9, 2022
edited
Loading

Tracking issue for:

Issue location

muslimboard/website/res/assets/base/util.js

Line 99 in 6d68754

config.target = $(config.target); 

Potential XSS vulnerability in the '$.fn.panel' plugin

Library plugins, such as those for the jQuery library, are often configurable through options provided by the clients of the plugin. Clients, however, do not know the implementation details of the plugin, so it is important to document the capabilities of each option. The documentation for the plugin options that the client is responsible for sanitizing is of particular importance. Otherwise, the plugin may write user input (for example, a URL query parameter) to a web page without properly sanitizing it first, which allows for a cross-site scripting vulnerability in the client application through dynamic HTML construction.

Recommendation

Document all options that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.

Example

The following example shows a jQuery plugin that selects a DOM element, and copies its text content to another DOM element. The selection is performed by using the plugin option sourceSelector as a CSS selector.

jQuery.fn.copyText = function(options) {
	// BAD may evaluate `options.sourceSelector` as HTML
	var source = jQuery(options.sourceSelector),
	    text = source.text();
	jQuery(this).text(text);
}

This is, however, not a safe plugin, since the call to jQuery interprets sourceSelector as HTML if it is a string that starts with <.

Instead of documenting that the client is responsible for sanitizing sourceSelector, the plugin can use jQuery.find to always interpret sourceSelector as a CSS selector:

jQuery.fn.copyText = function(options) {
	// GOOD may not evaluate `options.sourceSelector` as HTML
	var source = jQuery.find(options.sourceSelector),
	    text = source.text();
	jQuery(this).text(text);
}

References
@muhfaris
Copy link

muhfaris commented Sep 9, 2022

linknya nggak bisa dibuka mas @novalagung

@novalagung
Copy link
Owner Author

iya sepertinya yg bisa buka cuma maintainer. issue nya kurang lebih di sini:

muslimboard/website/res/assets/base/util.js

Line 99 in 6d68754

config.target = $(config.target); 

Potential XSS vulnerability in the '$.fn.panel' plugin

@muhfaris detailnya sudah saya taruh di deskripsi issue

@novalagung novalagung mentioned this issue Sep 10, 2022
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: unsafe jquery plugin novalagung/muslimboard
2 participants
@novalagung @muhfaris