Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

HTML is unescaped in tooltips, leading to XSS vulnerability when using user input


I noticed when using Tipped that user-input is not properly escaped. When the "title" attribute of a Tipped element is supplied by user-input, the browser executes javascript code inside of it (e.g.'<script>alert("foo");</script>').

Here is a problematic example:

<% user_title = '<script>alert("foo");</script>' %>
<th scope="row" class="js-tooltip" title="<%= user_title %>" data-tipped-options="position: 'topleft'">

Rails escapes HTML characters, but it appears that Tipped unescapes them. For example, this will be executed, as well:

&lt;img src=&quot;nope&quot; onerror=&quot;alert('xss')&quot;&gt;

In order to use Tipped, we have to double-escape user-supplied strings in Ruby. I was hoping there's a global option to turn off un-escaping, but I'm not seeing anything in the docs.

Alternatively, is there an easier solution that I'm missing?




  • Is there any updates on this issue? It appears that the most current version of this library is still vulnerable to xss. To test:

    1.) download and modify tipped-4.6.1-light/example/index.html
    2.) Update line 34 to be:

    <div class='box' title="&lt;details open ontoggle=alert(document.domain)&gt;" data-tipped-options="position: 'topleft'">

    3.) Open the example page in the browser
    4.) Hover over the first example
    5.) Notice that html escaped title content is evaluated and executes the ontoggle Javascript alert

Sign In or Register to comment.