XSS Vulnerability on closeText option of Dialog jQuery UI 1.11.4

[1001binary]

I couldn't submit the bug to the website http://bugs.jqueryui.com/newticket.

VULNERABILITY DETAILS

A potential bug enables us to inject the XSS content into closeText option using component ui dialog. As original of jQuery UI(https://api.jqueryui.com/dialog/#option-closeText), we shall not accept any HTML string inside it.

VERSION

Any site using the latest version jQuery UI 1.11.4 .

REPRODUCTION CASE

• Create a new HTML page.
• Inject this content into new page.

<!DOCTYPE html><htmlxmlns="http://www.w3.org/1999/xhtml"><head><title>XSS in closeText option of component ui dialog</title><scriptsrc="https://code.jquery.com/jquery-2.1.4.js"></script><scriptsrc="https://code.jquery.com/ui/1.11.4/jquery-ui.js"></script><linkrel="stylesheet" type="text/css" href="http://code.jquery.com/ui/1.9.1/themes/base/jquery-ui.css"><script>$(document).ready(function(){$('#dialog').dialog({closeText: '<script>alert("XSS")<\/script>'});});</script></head><body><divid="dialog" title="Dialog Title">Content here!</div></body></html>

• A alert popup was shown.
• Completed.

IN CONCLUSION

We expect that the html string isn't allowed in the closeText option as well as the popup alert not shown. If it displays, any attacker can take advantage of injecting the malicious XSS content into website.

Please see details at here http://jsfiddle.net/0wjdtcc6/

[jquerybot]

Thank you for your pull request. It looks like this may be your first contribution to a jQuery Foundation project, if so we need you to sign our Contributor License Agreement (CLA).

📝 Please visit http://contribute.jquery.org/CLA/ to sign.

After you signed, the PR is checked again automatically after a minute. If there's still an issue, please reply here to let us know.

---

If you've already signed our CLA, it's possible your git author information doesn't match your CLA signature (both your name and email have to match), for more information, check the status of your CLA check.