Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Checkboxradio's label text being evaluated as HTML on refresh #2101

Closed
Elkano opened this issue Jul 8, 2022 · 3 comments · Fixed by #2102
Closed

Checkboxradio's label text being evaluated as HTML on refresh #2101

Elkano opened this issue Jul 8, 2022 · 3 comments · Fixed by #2102
Assignees
@mgol
Labels
Bug Comp: Checkboxradio
Milestone
1.13.2

Comments

@Elkano
Copy link

Elkano commented Jul 8, 2022
edited
Loading

If you generate a Checkboxradio from a checkbox/radio with a label that contains encoded HTML, e.g. <em>test</em> this will work fine at first.
If however a refresh is triggered on that instance (explicitly or e.g. by turning it into a Controlgroup), the previously escaped HTML will now be evaluated.

If the label was created based on some user input, this could lead to unexpected code execution even though the initial output was escaped.

Example:
https://jsfiddle.net/69krwj75/

This is caused by the initial label being read as text (and thus decoded) for text nodes.

jquery-ui/ui/widgets/checkboxradio.js

Line 78 in d66fdd5

that.originalLabel += this.nodeType === 3 ? $( this ).text() : this.outerHTML;

When the label is later updated, it is however done via append.

jquery-ui/ui/widgets/checkboxradio.js

Line 263 in d66fdd5

this.label.append( this.options.label );

A fix would likely be to read the initial label text as HTML as well to preserve the encoding of the entities, however the likely was some reason to do things the way they currently are.

Judging from the blame, this bug has existed since the initial code from 8 years ago.

I'm aware that the teams resources are limited but I wanted to at least report the bug.
As a workaround, one can wrap their text into a <span> and thus causing it to be read via this.outerHTML instead.
@mgol mgol added this to the 1.13.2 milestone Jul 14, 2022
@mgol mgol self-assigned this Jul 14, 2022
mgol added a commit to mgol/jquery-ui that referenced this issue Jul 14, 2022
@mgol
Checkboxradio: Don't re-evaluate text labels as HTML
e94e6dc 
If you generate a Checkboxradio from a checkbox/radio with a label that
contains encoded HTML, e.g. `&lt;em&gt;test&lt;/em&gt;` this will work fine
at first. If, however a refresh is triggered on that instance (explicitly or
e.g. by turning it into a `Controlgroup`), the previously escaped HTML will
now be evaluated.

If the label was created based on some user input, this could lead to
unexpected code execution even though the initial output was escaped.

Fixes jquerygh-2101
@mgol mgol mentioned this issue Jul 14, 2022
Merged
mgol added a commit that referenced this issue Jul 14, 2022
@mgol
Checkboxradio: Don't re-evaluate text labels as HTML
8cc5bae 
If you generate a Checkboxradio from a checkbox/radio with a label that
contains encoded HTML, e.g. `&lt;em&gt;test&lt;/em&gt;` this will work fine
at first. If, however a refresh is triggered on that instance (explicitly or
e.g. by turning it into a `Controlgroup`), the previously escaped HTML will
now be evaluated.

If the label was created based on some user input, this could lead to
unexpected code execution even though the initial output was escaped.

Fixes gh-2101
Closes gh-2102
@mgol
Copy link
Member

mgol commented Jul 14, 2022

Thanks for the report! PR: #2102. We've just released it as part of 1.13.2: https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

I'll request a CVE shortly.

In the future, please direct security reports at [email protected] instead of GitHub issues so that they are not immediately visible to the whole world. I'll add the SECURITY.md file to this repo to make this policy clearer; we already have one for jQuery but we missed one for UI.

@mgol
Copy link
Member

mgol commented Jul 17, 2022

@Elkano I submitted a security advisory at:
GHSA-h6gj-6jjq-h8g9
and added you in the Credits section; if you want to show up there, you’ll need to approve.

@mgol
Copy link
Member

mgol commented Jul 18, 2022

The issue now has its CVE identifier: CVE-2022-31160.

@AASMACMX AASMACMX mentioned this issue Feb 26, 2023
Open
@OutdoormanBp OutdoormanBp mentioned this issue Jun 27, 2023
Closed
@AASMACMX AASMACMX mentioned this issue Apr 26, 2023
Open
@AASMACMX AASMACMX mentioned this issue Jul 10, 2023
Open
@herry2525 herry2525 mentioned this issue Sep 4, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mgol mgol

Labels
Bug Comp: Checkboxradio
Milestone
1.13.2
Development

Successfully merging a pull request may close this issue.

Checkboxradio: Don't re-evaluate text labels as HTML mgol/jquery-ui
2 participants
@Elkano @mgol