Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

HTML is unescaped in tooltips, leading to XSS vulnerability when using user input

Howdy,

I noticed when using Tipped that user-input is not properly escaped. When the "title" attribute of a Tipped element is supplied by user-input, the browser executes javascript code inside of it (e.g.'<script>alert("foo");</script>').

Here is a problematic example:

<% user_title = '<script>alert("foo");</script>' %>
<th scope="row" class="js-tooltip" title="<%= user_title %>" data-tipped-options="position: 'topleft'">

Rails escapes HTML characters, but it appears that Tipped unescapes them. For example, this will be executed, as well:

&lt;img src=&quot;nope&quot; onerror=&quot;alert('xss')&quot;&gt;

In order to use Tipped, we have to double-escape user-supplied strings in Ruby. I was hoping there's a global option to turn off un-escaping, but I'm not seeing anything in the docs.

Alternatively, is there an easier solution that I'm missing?

Thanks!

Michael

Sign In or Register to comment.