-
Bug
-
Resolution: Fixed
-
Critical
-
10.0.0
-
None
Steps to Reproduce
Calling setTooltiptext("\" onLoad=\"myBadJavascript();") for Image should also work, or setTooltiptext("\" onMouseover=\"myBadJavascript();") for A hyperlinks.
Current Result
Javascript is executed
Expected Result
The tooltip should be displayed as entered, by applying proper escaping.
Debug Information
<image tooltiptext="" onLoad="alert(0);"/> in ZUL displays Javascript message, so if applications display user input as tooltiptext (e.g. if the size exceeds a threshold), users can execute Javascript in foreign users' context, e.g. to steal session cookies or act impersonating the other user.
Workaround
- duplicates
-
ZK-5722 DomPurify doesn't neutralize double quotes in attribute string, can be used for XSS attacks
- Closed