rooty/Bootstrap
0
0
Fork 0
mirror of https://github.com/twbs/bootstrap.git synced 2025-01-18 10:52:19 +01:00
Code Issues Actions Packages Releases Activity

Fix/xss issues on data attributes (#27047)

Browse Source 
* fix(collapse): xss CVE-2018-14040

Fixes #26625

* fix(tooltip): xss CVE-2018-14042

Fixes #26628

* fix(tooltip): XSS on data-viewport attribute

Fixes #27044

* fix(affix): XSS on target config

Fixes #27045
This commit is contained in:
don-spyker 2018-08-13 18:09:18 +02:00 committed by Johann-S
parent 13bf8aeae3
commit 2a5ba23ce8
6 changed files with 49 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
js/affix.js
View File

@ -16,7 +16,9 @@
var Affix = function (element, options) { var Affix = function (element, options) {
this.options = $.extend({}, Affix.DEFAULTS, options) this.options = $.extend({}, Affix.DEFAULTS, options)
this.$target = $(this.options.target) var target = this.options.target === Affix.DEFAULTS.target ? $(this.options.target) : $(document).find(this.options.target)
this.$target = target
.on('scroll.bs.affix.data-api', $.proxy(this.checkPosition, this)) .on('scroll.bs.affix.data-api', $.proxy(this.checkPosition, this))
.on('click.bs.affix.data-api', $.proxy(this.checkPositionWithEventLoop, this)) .on('click.bs.affix.data-api', $.proxy(this.checkPositionWithEventLoop, this))

2
js/collapse.js
View File

@ -137,7 +137,7 @@
} }
Collapse.prototype.getParent = function () { Collapse.prototype.getParent = function () {
return $(this.options.parent) return $(document).find(this.options.parent)
.find('[data-toggle="collapse"][data-parent="' + this.options.parent + '"]') .find('[data-toggle="collapse"][data-parent="' + this.options.parent + '"]')
.each($.proxy(function (i, element) { .each($.proxy(function (i, element) {
var $element = $(element) var $element = $(element)

15
js/tests/unit/affix.js
View File

@ -104,4 +104,19 @@ $(function () {
}, 250) }, 250)
}, 250) }, 250)
}) })
QUnit.test('should raise exception to avoid xss on target', function (assert) {
assert.expect(1)
assert.throws(function () {
var templateHTML = '<div id="affixTarget"></div>'
$(templateHTML).appendTo(document.body)
$('#affixTarget').bootstrapAffix({
target: '<img src=1 onerror=\'alert(0)\'>'
})
}, new Error('Syntax error, unrecognized expression: <img src=1 onerror=\'alert(0)\'>'))
})
}) })

10
js/tests/unit/collapse.js
View File

@ -440,4 +440,14 @@ $(function () {
.bootstrapCollapse('show') .bootstrapCollapse('show')
}) })
QUnit.test('should raise exception to avoid xss on data-parent', function (assert) {
assert.expect(1)
assert.throws(function () {
$('<a role="button" data-toggle="collapse" data-parent="<img src=1 onerror=\'alert(0)\'>" href="#collapseThree">')
.appendTo('#qunit-fixture')
.bootstrapCollapse('show')
.trigger('click');
}, new Error('Syntax error, unrecognized expression: <img src=1 onerror=\'alert(0)\'>'))
})
}) })

18
js/tests/unit/tooltip.js
View File

@ -1322,4 +1322,22 @@ $(function () {
}) })
}) })
QUnit.test('should raise exception to avoid xss on data-container', function (assert) {
assert.expect(1)
assert.throws(function () {
$('<button data-toggle="tooltip" data-container="<img src=1 onerror=\'alert(0)\'>" title="Tooltip on right">Tooltip on right</button>')
.appendTo('#qunit-fixture')
.bootstrapTooltip('show')
}, new Error('Syntax error, unrecognized expression: <img src=1 onerror=\'alert(0)\'>'))
})
QUnit.test('should raise exception to avoid xss on data-viewport', function (assert) {
assert.expect(1)
assert.throws(function () {
$('<button data-toggle="tooltip" data-viewport="<img src=1 onerror=\'alert(0)\'>" title="Tooltip on right">Tooltip on right</button>')
.appendTo('#qunit-fixture')
.bootstrapTooltip('show')
}, new Error('Syntax error, unrecognized expression: <img src=1 onerror=\'alert(0)\'>'))
})
}) })

4
js/tooltip.js
View File

@ -51,7 +51,7 @@
this.type = type this.type = type
this.$element = $(element) this.$element = $(element)
this.options = this.getOptions(options) this.options = this.getOptions(options)
this.$viewport = this.options.viewport && $($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport)) this.$viewport = this.options.viewport && $(document).find($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport))
this.inState = { click: false, hover: false, focus: false } this.inState = { click: false, hover: false, focus: false }
if (this.$element[0] instanceof document.constructor && !this.options.selector) { if (this.$element[0] instanceof document.constructor && !this.options.selector) {
@ -204,7 +204,7 @@
.addClass(placement) .addClass(placement)
.data('bs.' + this.type, this) .data('bs.' + this.type, this)
this.options.container ? $tip.appendTo(this.options.container) : $tip.insertAfter(this.$element) this.options.container ? $tip.appendTo($(document).find(this.options.container)) : $tip.insertAfter(this.$element)
this.$element.trigger('inserted.bs.' + this.type) this.$element.trigger('inserted.bs.' + this.type)
var pos = this.getPosition() var pos = this.getPosition()