jQuery's "Dollar Sign" Syntactic Quirk - An Inherent Vulnerability?
jQuery
has this
quirk,
whereby one can't pass user data to the$() function
:
$('<img src=1 onerror=alert(document.domain)>')
The $()
code ends up creating an HTML node, which can lead to an XSS vulnerability.
This vector for bugs has been known for a while (bug #9521; bug #11617), but can unfortunately still be exploited in some cases.
{ modified for grammar/effect from src
props to @alokmenghrajani }
Written by Rashaad Essop
Related protips
Have a fresh tip? Share with Coderwall community!
Post
Post a tip
Best
#Syntax
Authors
Sponsored by #native_company# — Learn More
#native_title#
#native_desc#