[xss] - XSS via filename #31

pwnetrationguru · 2014-06-10T20:14:26Z

https://github.com/grevory/bootstrap-file-input/blob/master/bootstrap.file-input.js#L112:

$(this).parent().after('<span class="file-input-name">'+fileName+'</span>');

This opens up users of this library to XSS attacks [1]. fileName should be escaped before it is used inside raw HTML.

[1] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

The text was updated successfully, but these errors were encountered:

pwnetrationguru · 2014-06-10T20:40:42Z

I would suggest a fix that uses textContent or jQuery's text() method:

diff --git a/vendor/assets/javascripts/bootstrap-fileinput.js b/vendor/assets/javascripts/bootstrap-fileinput.js
index 9467b45..d912909 100644
--- a/vendor/assets/javascripts/bootstrap-fileinput.js
+++ b/vendor/assets/javascripts/bootstrap-fileinput.js
@@ -103,7 +103,9 @@ $.fn.bootstrapFileInput = function() {
         fileName = fileName.substring(fileName.lastIndexOf('\\')+1,fileName.length);
       }

-      $(this).parent().after('<span class="file-input-name">'+fileName+'</span>');
+      var span = jQuery('<span></span>', {"class":"file-input-name"});
+      span.text(fileName);
+      $(this).parent().after(span);
     });

   });

tkhduracell mentioned this issue Jul 3, 2014

Protection against XSS, using JQuery text() escape, fixes #31 #32

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[xss] - XSS via filename #31

[xss] - XSS via filename #31

pwnetrationguru commented Jun 10, 2014

pwnetrationguru commented Jun 10, 2014

[xss] - XSS via filename #31

[xss] - XSS via filename #31

Comments

pwnetrationguru commented Jun 10, 2014

pwnetrationguru commented Jun 10, 2014