Exploiting jquery html encoding XSS

Question

After reading this question users warned that this method of encoding html is unsafe

    return $('<div/>').html(encodedText).text();

"don't use jQuery.html().text() to decode html entities as it's unsafe because user input should never have access to the DOM "

"I suggest using a safer, more optimized function"

The purpose of this method is to take encoded input i.e Fish & chips and produce unencoded output i.e Fish & Chips

So as I understand it, they claim that for some value of encodedText, that javascript can be executed. I tried to reproduce this setting encodedText to <script>alert(1)</script> and a few other simple attacks and was unable to find any signs of XSS vulnerability.

My question is: is there any demonstrable xss vulnerability in any browser when using $('<div/>').html(encodedText).text()

Especially note this answer: http://stackoverflow.com/a/1395954/18771 — Tomalak, Jul 08 '15 at 02:13

score 8 · Accepted Answer · answered Jul 08 '15 at 02:04

There are plenty of ways of doing it, this is one way with onerror with an image tag.

var x = $("<div/>").html('<img src="X" onerror="alert(\'hi\');" />').text();
console.log(x);

<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>

score 1 · Answer 2 · answered Jul 08 '15 at 02:04

1

$('<div/>').html('<img onerror="alert(0)" src=invalid>').text()

answered Jul 08 '15 at 02:04

Cheers

11
1

Exploiting jquery html encoding XSS

2 Answers2

Linked