Skip to content

Commit fa21072

Browse files
mikegioiamikegioia
authored
fix: security fix for cross-site scripting (xss) (#1)
The form library suffered of a XSS issue, which was caused by 2 minor issues inside the code, which made possible the usage of eval on unsanitized values (inside the "override" of parseJSON) and html parsing on a unsanitized AJAX response. The 2 issues have been fixed in the following way: 1. The eval inside the parseJSON function has been removed, while it's been added a error which arises when the default $.parseJSON function (on jquery) isn't declared (anyone with good intentions would simply add the jquery script on the page and all works correctly again). 2. The unsanitized AJAX response was previously passed to parseHTML without any check, making possible inject additional HTML. I used a peculiarity of jquery to translate the HTML nodes evaluated into text nodes, which are equal to HTML encoded entities.
1 parent 421b0ae commit fa21072

File tree

6 files changed

+3578
-2241
lines changed

6 files changed

+3578
-2241
lines changed

dist/jquery.form.min.js

Lines changed: 5 additions & 6 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/jquery.form.min.js.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

form.jquery.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"name": "form",
33
"title": "jQuery Form",
4-
"version": "4.3.0",
4+
"version": "4.3.1",
55
"author": {
66
"name": "Kevin Morris",
77
"url": "https://github.com/kevindb/"

0 commit comments

Comments
 (0)