Code Injection Vulnerability

[corporealfunk]

If you allow users to input titles/captions for use in swipebox, the current code allows code injection. For example, say you properly escape all HTML entities in your "a" tag's title attribute like this:

<a class='swipebox' href='https://picsum.photos/200/300' title='&lt;script&gt;alert(&quot;hi&quot;);&lt;/script&gt;'>click to see image</a>

At first glance the above tag looks OK: we've escaped our user input as we should to avoid code injection. However, when the swipebox plugin is initialized and the user clicks this link, the JS code is executed and the alert box is shown. You can see this in action here:

https://jsfiddle.net/wk481x95/

This functionality normally allows us to display a caption in the swipebox widget, by setting the "a" tag's title attribute. The reason the code injection occurs is because the swipebox plugin is using jQuery's "append" method to insert the "a" tag's title attribute into the swipebox widget. It should be using jQuery's "text" method which escapes any data placed into the node.

swipebox/src/js/jquery.swipebox.js

Line 719 in c622743

$( '#swipebox-title' ).append( title );