Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS vulnerability #1189

Open
emizzz opened this issue Dec 8, 2022 · 3 comments
Open

XSS vulnerability #1189

emizzz opened this issue Dec 8, 2022 · 3 comments

Comments

@emizzz
Copy link

emizzz commented Dec 8, 2022

Magnific Popup uses a parameter called preloader, which by default is set to true.

Using a specifically crafted payload (in src URL) two things happen:

Initially, the text variable in the updateStatus function is set to “Loading…”

magnific_popup_vulnerability_debug1

Then it takes the value passed to it by the default error handling function (which contains the URL).

mfp.updateStatus('error', imgSt.tError.replace('%url%', item.src) );

magnific_popup_vulnerability_debug2

The problem here is that the .html() function does not escape HTML and could be used to inject code.

The vulnerability, if exploitable, can even lead to "stored XSS".

@BloodyIron
Copy link

BloodyIron commented Feb 13, 2023

Looks legit to me. (as in legit threat)

@emizzz
Copy link
Author

emizzz commented Feb 15, 2023

Do you mean that this is intended as a feature?

@BloodyIron
Copy link

As in the fact it does not escape html is a legitimate security concern. I am not a developer, I simply spotted this and wanted to state that I support that this needs to be fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants