jQuery Manipulation Sinks

jQuery

List of Sinks

Global jQuery Functions

The following sinks allow HTML injection: * jQuery( htmlText [, ownerDocument] ) and $( htmlText [, ownerDocument] ) : if the first argument contains a pattern that matches with some known tag it'll be created a HTML fragment. Reference. * Update: as of version 1.6.1 this is exploitable only if the htmlText does not start with #. * Update2: as of version 1.9.0 this is exploitable only if the htmlText starts with '<'. * jQuery.parseHTML(htmlText): static method introduced on version 1.8.0 which uses DIV.innerHTML to parse HTML using the browser parser. (thanks to Gareth Heyes for pointing this out).

The following sinks allow JavaScript execution: * jQuery.globalEval( userContent ): equivalent to eval sink. Reference

element-specific functions

• element.add( userContent ): adds elements to the matched elements. Reference

• element.append( userContent ) : inserts given HTML at the end of each matched element. Reference

• element.after( userContent ) : inserts given HTML after each matched element. Reference

• element.before( userContent ) : inserts given HTML before each matched element. Reference

• element.html( userContent ) : equivalent in assigning element.innerHTML = usercontent. Reference

• element.prepend( userContent ) : inserts given HTML at the beginning of each matched element. Reference

• element.replaceWith( userContent ) : replace each element with the given new content. Reference

• element.wrap( userContent ) : wrap element(s) within given HTML. Reference

• element.wrapAll( userContent ) : wrap element(s) within given HTML. Reference

• In general, every function that accepts the htmlString type (see jQuery docs). (TODO: Extract these from their docs)

Warning: This list is still far from being complete.