Merge branch 'main' into issue-OWASP-BLT#1346

JisanAR03 · Nov 1, 2023 · 0158754 · 0158754
2 parents f3ad862 + bf6ef11
commit 0158754
Showing 1 changed file with 20 additions and 3 deletions.
diff --git a/website/static/vendor/bootstrap/js/bootstrap.js b/website/static/vendor/bootstrap/js/bootstrap.js
@@ -1328,7 +1328,7 @@ function sanitizeInput(input) {
         this.type = type
         this.$element = $(element)
         this.options = this.getOptions(options)
-        this.$viewport = this.options.viewport && $($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport))
+        this.$viewport = this.options.viewport && $(sanitizeSelector($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport)))
         this.inState = {click: false, hover: false, focus: false}
 
         if (this.$element[0] instanceof document.constructor && !this.options.selector) {
@@ -2028,7 +2028,7 @@ function sanitizeInput(input) {
             '[data-target="' + target + '"],' +
             this.selector + '[href="' + target + '"]'
 
-        var active = $(selector)
+        var active = $(escapePotentialXSS(selector))
             .parents('li')
             .addClass('active')
 
@@ -2042,7 +2042,7 @@ function sanitizeInput(input) {
     }
 
     ScrollSpy.prototype.clear = function () {
-        $(this.selector)
+        $(escapePotentialXSS(this.selector))
             .parentsUntil(this.options.target, '.active')
             .removeClass('active')
     }
@@ -2407,3 +2407,20 @@ function sanitizeInput(input) {
     })
 
 }(jQuery);
+function escapePotentialXSS(selector) {
+    // Escaping only the specific characters that can lead to XSS
+    // such as <, >, ", ', and ` which are not valid in CSS selectors
+    // and can be used for XSS if injected into HTML content.
+    return selector.replace(/[<>\"'`]/g, function(match) {
+        // Convert potentially dangerous characters to their
+        // corresponding HTML entity representations.
+        switch(match) {
+            case '<': return '&lt;';
+            case '>': return '&gt;';
+            case '"': return '&quot;';
+            case '\'': return '&#39;';
+            case '`': return '&#96;';
+            default: return match;
+        }
+    });
+}