A few days ago, Eric A Mann posted an article explaining a potential XSS vulnerability in various jQuery scripts. The basic premise is that a very common coding practice in jQuery (checking to see if an element exists before trying to use it) could lead to an XSS attack. Essentially, if you use jQuery to check to see if an element exists, and part of the selector string you’re using comes from user input (for instance, the URL hash), then code can be injected and executed.
In the comments, Eric and a user named Dave discovered that this specific vulnerability had been patched in older versions of jQuery, but that a lot of sites were still vulnerable due to the jQuery Migrate plugin (which is packaged and used in WordPress by default, in order to help ensure backward-compatibility with outdated jQuery code on sites).
So, bottom line is:
- You may or may not be vulnerable to this, but you should definitely do some testing to find out.
- If you use this type of code in any of your jQuery scripts, you might want to update the way you’re checking for the existence of elements.
- Yes, you can patch this vulnerability on your own sites by disabling the jquery-migrate plugin, but that still doesn’t necessarily mean you should be using jQuery to do something that can be done with standard JavaScript; it also doesn’t mean you should be disabling jquery-migrate through any of your plugins, so you should absolutely patch the issue in any public code you control.
If you’re interested in patching this within your own scripts, I’ve written a quick Gist that uses Eric’s suggestions. You can definitely try it out. In my initial testing, this seems to work pretty well. Essentially, you would replace `if ( jQuery( elementSelector ).length <= 0 )` with `if ( doesElementExist( elementSelector ) )`.
Now, I’m off to see how many places I might have used this code, and see how many places I can patch it.