Skip to content

fix: DOM text reinterpreted as HTML Improper Neutralization of Input Cross-site Scripting #1610

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
odaysec wants to merge 1 commit into from
Closed

fix: DOM text reinterpreted as HTML Improper Neutralization of Input Cross-site Scripting #1610

odaysec wants to merge 1 commit into from

Conversation

@odaysec
Copy link

@odaysec odaysec commented Feb 28, 2025

mongo/src/third_party/wiredtiger/src/docs/style/header-web.html

Line 42 in 0a68308

<select id="version_select" onchange="window.location=window.location.href.replace('$projectbrief',this.value);">

Extracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability. A webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.

POC

The following vulnerable shows a webpage using a data-target attribute to select and manipulate a DOM element using the JQuery library. In the data-target attribute is read into the target variable, and the $ function is then supposed to use the target variable as a CSS selector to determine which element should be manipulated.

$("button").click(function () {
    var target = $(this).attr("data-target");
    $(target).hide();
});

However, if an attacker can control the data-target attribute, then the value of target can be used to cause the $ function to execute arbitrary JavaScript.

The above vulnerability can be fixed by using $.find instead of $. The $.find function will only interpret target as a CSS selector and never as HTML, thereby preventing an XSS attack.

$("button").click(function () {
    var target = $(this).attr("data-target");
	$.find(target).hide();
});

References

@kelly-cs
Copy link
Contributor

kelly-cs commented Feb 28, 2025

Hi @odaysec!

Thanks for the report! This code is imported from https://github.com/wiredtiger/wiredtiger/blob/develop/src/docs/style/header-web.html so that repo probably makes more sense for the change.

Since this is a security issue, we normally prefer the bug submission form. I've flagged this internally.

@odaysec odaysec closed this by deleting the head repository Sep 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@odaysec @kelly-cs