mirrors/bootstrap
2
0
Fork 0
mirror of https://github.com/tenrok/bootstrap.git synced 2026-06-05 16:42:29 +03:00
Code Activity

Fix XSS in Alert, Carousel, Collapse, Dropdown and Modal

Browse Source
This commit is contained in:
Johann-S
2017-08-26 11:43:06 +02:00
parent 4731b239b1
commit 29f9237f73
7 changed files with 23 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
js/tests/visual/collapse.html
+3 -1
View File
@@ -66,7 +66,9 @@
</div>
</div>
</div>
<button class="btn" data-toggle="collapse" data-target="<img src=x onerror=alert(0)>">
Collapse with an XSS
</button>
</div>
<!-- JavaScript Includes -->
js/tests/visual/modal.html
+3
View File
@@ -162,6 +162,9 @@
Tall body content to force the page to have a scrollbar.
</div>
<button class="btn btn-primary btn-lg" data-toggle="modal" data-target="&#x3C;div class=&#x22;modal fade the-bad&#x22; tabindex=&#x22;-1&#x22; role=&#x22;dialog&#x22;&#x3E;&#x3C;div class=&#x22;modal-dialog&#x22; role=&#x22;document&#x22;&#x3E;&#x3C;div class=&#x22;modal-content&#x22;&#x3E;&#x3C;div class=&#x22;modal-header&#x22;&#x3E;&#x3C;button type=&#x22;button&#x22; class=&#x22;close&#x22; data-dismiss=&#x22;modal&#x22; aria-label=&#x22;Close&#x22;&#x3E;&#x3C;span aria-hidden=&#x22;true&#x22;&#x3E;&#x26;times;&#x3C;/span&#x3E;&#x3C;/button&#x3E;&#x3C;h4 class=&#x22;modal-title&#x22;&#x3E;The Bad Modal&#x3C;/h4&#x3E;&#x3C;/div&#x3E;&#x3C;div class=&#x22;modal-body&#x22;&#x3E;This modal&#x27;s HTTML source code is declared inline, inside the data-target attribute of it&#x27;s show-button&#x3C;/div&#x3E;&#x3C;/div&#x3E;&#x3C;/div&#x3E;&#x3C;/div&#x3E;">
Launch XSS modal
</button>
</div>
<!-- JavaScript Includes -->