XSS issue in owasp and blackhat reports?

[HIRANO-Satoshi]

Hi,

1. Issue description

jQuery Mobile was pointed out in the following reports that it had an XSS issue. Have it been fixed? or is it no problem?

https://www.blackhat.com/docs/us-17/thursday/us-17-Lekies-Dont-Trust-The-DOM-Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf

https://www.owasp.org/images/3/32/OWASP_BeNeLux-Day_2017_Bypassing_XSS_mitigations_via_script_gadgets_Sebastian_Lekies.pdf

jQuery Mobile also has an HTML injection point, where the value of the "ID"
attribute is dynamically put inside an HTML comment. One can achieve
arbitrary code execution by simply closing the comment, and leave jQuery
manually execute the script.
Example: jQuery Mobile

<div data-role=popup id='--><script>"use strict"
alert(1)</script>'></div>

Steps to reproduce ??
Expected outcome ??
Actual outcome ??

[ElliotNB]

This seems like a very low risk issue. If I'm understanding correctly, in order to exploit this vulnerability, you would have to have control of the ID attribute. Having control of the ID attribute implies either:

1. You have control of the front-end source itself.

2. The programmer built their jQuery Mobile widget such that the ID attribute is set using dynamic content from an external source.

If #1 is true, then XSS is a moot point because you already have control of the source.

If #2 is true, then the solution is to simply stop dynamically injecting external content into ID attributes (probably shouldn't have been done in the first place) or perform proper input validation on that external content.

TLDR: It's not a problem with jQuery Mobile -- it's only a problem if jQuery Mobile is used improperly.

[HIRANO-Satoshi]

Okay. Thanks!