Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

tooltip - XSS on data-viewport attribute #27044

Closed
don-spyker opened this issue Aug 10, 2018 · 0 comments
Closed

tooltip - XSS on data-viewport attribute #27044

don-spyker opened this issue Aug 10, 2018 · 0 comments
Labels
js v3

Comments

@don-spyker
Copy link

don-spyker commented Aug 10, 2018
edited
Loading

found in bootstrap 3.3.7

<a href="#" data-toggle="tooltip" data-viewport="<img src=1 onerror=alert(123) />" title="Hooray!">Hover over me</a>
https://jsbin.com/qipirurise/edit?html,output

Win 7 x64
Chrome 67.0.3396.99
Firefox 61.0.1 (64-Bit)
@don-spyker don-spyker mentioned this issue Aug 10, 2018
Merged
don-spyker added a commit to don-spyker/bootstrap that referenced this issue Aug 10, 2018
@don-spyker
fix(tooltip): XSS on data-viewport attribute
5c71ecf 
Fixes twbs#27044
Johann-S pushed a commit that referenced this issue Aug 13, 2018
@don-spyker @Johann-S
Fix/xss issues on data attributes (#27047)
2a5ba23 
* fix(collapse): xss CVE-2018-14040

Fixes #26625

* fix(tooltip): xss CVE-2018-14042

Fixes #26628

* fix(tooltip): XSS on data-viewport attribute

Fixes #27044

* fix(affix): XSS on target config

Fixes #27045
@AASMACMX AASMACMX mentioned this issue Feb 26, 2023
Open
@AASMACMX AASMACMX mentioned this issue Apr 26, 2023
Open
@AASMACMX AASMACMX mentioned this issue Jul 10, 2023
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
js v3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Johann-S @don-spyker