Tooltip: Escape the title attribute so that it's treated as text and not HTML. Fixes #8861 - Tooltip: XSS vulnerability in default content.

Author: scottgonzalez

demos/autocomplete/combobox.html

@@ -61,7 +61,7 @@
 						// remove invalid value, as it didn't match anything
 						$( element )
 							.val( "" )
-							.attr( "title", $( "<a>" ).text( value ).html() + " didn't match any item" )
+							.attr( "title", value + " didn't match any item" )
 							.tooltip( "open" );
 						select.val( "" );
 						setTimeout(function() {

tests/unit/tooltip/tooltip_options.js

@@ -16,6 +16,20 @@ test( "content: default", function() {
 	deepEqual( $( "#" + element.data( "ui-tooltip-id" ) ).text(), "anchortitle" );
 });
 
+test( "content: default; HTML escaping", function() {
+	expect( 2 );
+	var scriptText = "<script>$.ui.tooltip.hacked = true;</script>",
+		element = $( "#tooltipped1" );
+
+	$.ui.tooltip.hacked = false;
+	element.attr( "title", scriptText )
+		.tooltip()
+		.tooltip( "open" );
+	equal( $.ui.tooltip.hacked, false, "script did not execute" );
+	deepEqual( $( "#" + element.data( "ui-tooltip-id" ) ).text(), scriptText,
+		"correct tooltip text" );
+});
+
 test( "content: return string", function() {
 	expect( 1 );
 	var element = $( "#tooltipped1" ).tooltip({

ui/jquery.ui.tooltip.js

@@ -46,7 +46,9 @@ $.widget( "ui.tooltip", {
 	version: "@VERSION",
 	options: {
 		content: function() {
-			return $( this ).attr( "title" );
+			var title = $( this ).attr( "title" );
+			// Escape title, since we're going from an attribute to raw HTML
+			return $( "<a>" ).text( title ).html();
 		},
 		hide: true,
 		// Disabled elements have inconsistent behavior across browsers (#8661)