Reputation: 15
How to execute Javascript inside jQuery selector
I have a code like this:
$('.' + InjectionPoint).removeClass('classname');
where InjectionPoint is the part controlled by end user, apparently this code is vulnerable to DOM XSS, but is it really exploitable? and how should an attack vector be like?
Thanks
Upvotes: 1
Views: 610
Answers (2)
Reputation: 51
This is definitely subject to XSS. Check out this article which describes how an attacker might go about it: https://ttmm.io/tech/jquery-xss/
Basically, the author recommends that you use document.querySelectorAll() instead of the jQuery selector function. Someone commented that this is a non-issue for jQuery 1.7 and above but don't quote me on that.
In general, it's never ever a good idea to trust what your users give you.
Upvotes: 0
Reputation: 2227
On what are you basing your belief that "this code is vulnerable to DOM XSS"?
Based on this answer, that was true in older versions of jQuery, but not any version later than 1.6.3: https://stackoverflow.com/a/11170073/877682
Upvotes: 4
Related Questions
- Execute JavaScript for XSS without script tags
- How to insert and execute script tag to the DOM using plain js
- Call Javascript with CSS selector
- Don't execute javascript inside html tag
- How execute script in specific div
- Escaping jQuery selector
- DoM XSS in jquery
- Executing javascript inside div
- Execute javascript
- Executing javascript code stored in an element attribute using jQuery