Its written by the developer of popular JS Analyzer tool Dominator, Stefano Di Paola .Thanks to him for such a great post. It took me some time to understand . With this blog post i will try to explain about the above post by Stefano related to jQuery sinks which allow HTML Injection .
Demo/Example: I wrote a comment box code for my blog website which post the comment message using the .load() function of jQuery to database. This comment box code grab the GET parameter value of current page using php code and use that value in the .load() function of jquery.
If you see the line 28 , there is php code that grab the GET parameter value . .load() is one of the jQuery function that allow HTML injection . So , I injected the payload in the url and
The payload executed successfully (the vulnerable code is fixed now )
Like .load() there are many functions that allow HTML Injection. Following are few of them:
So, while pentesting web applications if you find a jQuery function which uses some user controlled input from some source like GET parameters, it may be vulnerable to XSS. I will try to update this post with more sinks/function of jQuery that allow HTML Injection. I would like to give credits to one more person , Mike Shema