jQuery
List of Sinks
The following sinks allow HTML injection:
- jQuery( htmlText [, ownerDocument] ) and $( htmlText [, ownerDocument] ) : if the first argument contains a pattern that matches with some known tag it'll be created a HTML fragment. Reference. Update: as of version 1.6.1 this is exploitable only if the htmlText does not starts with #.
- element.html( userContent ): equivalent in assigning element.innerHTML = usercontent.Reference
- element.append( userContent ) : equivalent in document.createElement("div").innerHTML = usercontent. and then appending the div to element.Reference
The following sinks allow JavaScript execution:
- jQuery.globalEval( userContent ): equivalent to eval sink.Reference
Warning: This list is far from being complete.
