Skip to content

jQuery sinks

Jump to bottom Edit New page
Ohpe edited this page Jan 29, 2016 · 1 revision

List of Sinks

Global jQuery Functions

The following sinks allow HTML injection:

  • jQuery( htmlText [, ownerDocument] ) and $( htmlText [, ownerDocument] ) : if the first argument contains a pattern that matches with some known tag it'll be created a HTML fragment. Reference.
    • Update: as of version 1.6.1 this is exploitable only if the htmlText does not start with #.
    • Update2: as of version 1.9.0 this is exploitable only if the htmlText starts with '<'.
  • jQuery.parseHTML(htmlText): static method introduced on version 1.8.0 which uses DIV.innerHTML to parse HTML using the browser parser. (thanks to Gareth Heyes for pointing this out).

The following sinks allow JavaScript execution:

  • jQuery.globalEval( userContent ): equivalent to eval sink. Reference

element-specific functions

  • element.add( userContent ): adds elements to the matched elements. Reference

  • element.append( userContent ) : inserts given HTML at the end of each matched element. Reference

  • element.after( userContent ) : inserts given HTML after each matched element. Reference

  • element.before( userContent ) : inserts given HTML before each matched element. Reference

  • element.html( userContent ) : equivalent in assigning element.innerHTML = usercontent. Reference

  • element.prepend( userContent ) : inserts given HTML at the beginning of each matched element. Reference

  • element.replaceWith( userContent ) : replace each element with the given new content. Reference

  • element.wrap( userContent ) : wrap element(s) within given HTML. Reference

  • element.wrapAll( userContent ) : wrap element(s) within given HTML. Reference

  • In general, every function that accepts the htmlString type (see jQuery docs). (TODO: Extract these from their docs)

Warning: This list is still far from being complete.

.

Clone this wiki locally