Anderson
Reputation: 171
Is it possible to perform a XSS attack using jQuery's .attr("href", value) method for <a> tags?
Given is the following html fragment, which is statically typed in an html file:
<a id="link001" href="https://google.com" target="_blank">Google</a>
Please consider, that the attribute value of href is quoted. Is it possible to perform a XSS attack when the attacker can provide an arbitrary value for the variable unsafe_string in the following context:
$('#link001').attr("href", unsafe_string);
My question is: Is it possible to inject and execute malicious code? The attacker has only control of unsafe_string and nothing else. The attacker can assume that the victim will finally click the link.
The case, that a user can get forwarded to some malicious website by clicking the link should get neglected.
Upvotes: 1
Views: 908
Answers (1)
CertainPerformance
Reputation: 370989
Yes, it's unsafe, one can just prepend javascript: to the malicious code:
$('#link001').attr("href", "javascript:alert('evil')");<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<a id="link001" href="https://google.com" target="_blank">Google</a>Upvotes: 3
Related Questions
- Can using the HREF with jQuery be vulnerable to XSS?
- Get value of href attribute of <a> tag without jQuery
- Is it possible to perform a XSS attack using jQuery's .attr(attributeName, value) method in the following context?
- Preventing XSS when using .attr('href', url) in jQuery
- Is jQuery .attr() method XSS safe?
- jQuery: Use .attr('href',"") to call javascript
- Filter XSS in href attribute?
- How to use "javascript:window.location.href's" value of "onclick" event in jquery attr() method?
- Changing attr href to something else via jquery. What does it all affect
- jQuery replace attr href with string values