From bcad4bcb5f5a9ef079b2883a48a698b35261e083 Mon Sep 17 00:00:00 2001
From: Johann-S <johann.servoire@gmail.com>
Date: Fri, 25 Aug 2017 21:54:49 +0200
Subject: [PATCH] Fix XSS in data-target

---
 js/src/util.js             | 2 +-
 js/tests/visual/modal.html | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/js/src/util.js b/js/src/util.js
index 69fb8283cc..cd3f1fb6a2 100644
--- a/js/src/util.js
+++ b/js/src/util.js
@@ -117,7 +117,7 @@ const Util = (($) => {
       }
 
       try {
-        const $selector = $(selector)
+        const $selector = $(document).find(selector)
         return $selector.length > 0 ? selector : null
       } catch (error) {
         return null
diff --git a/js/tests/visual/modal.html b/js/tests/visual/modal.html
index c9a950b8c3..da9bbf93ab 100644
--- a/js/tests/visual/modal.html
+++ b/js/tests/visual/modal.html
@@ -167,6 +167,10 @@
       <div class="bg-dark text-white p-2" id="tall" style="display: none;">
         Tall body content to force the page to have a scrollbar.
       </div>
+
+      <button type="button" class="btn btn-secondary btn-lg" data-toggle="modal" data-target="&#x3C;div class=&#x22;modal fade the-bad&#x22; tabindex=&#x22;-1&#x22; role=&#x22;dialog&#x22;&#x3E;&#x3C;div class=&#x22;modal-dialog&#x22; role=&#x22;document&#x22;&#x3E;&#x3C;div class=&#x22;modal-content&#x22;&#x3E;&#x3C;div class=&#x22;modal-header&#x22;&#x3E;&#x3C;button type=&#x22;button&#x22; class=&#x22;close&#x22; data-dismiss=&#x22;modal&#x22; aria-label=&#x22;Close&#x22;&#x3E;&#x3C;span aria-hidden=&#x22;true&#x22;&#x3E;&#x26;times;&#x3C;/span&#x3E;&#x3C;/button&#x3E;&#x3C;h4 class=&#x22;modal-title&#x22;&#x3E;The Bad Modal&#x3C;/h4&#x3E;&#x3C;/div&#x3E;&#x3C;div class=&#x22;modal-body&#x22;&#x3E;This modal&#x27;s HTTML source code is declared inline, inside the data-target attribute of it&#x27;s show-button&#x3C;/div&#x3E;&#x3C;/div&#x3E;&#x3C;/div&#x3E;&#x3C;/div&#x3E;">
+        Modal with an XSS inside the data-target
+      </button>
     </div>
 
     <script src="../../../assets/js/vendor/jquery-slim.min.js"></script>
-- 
2.47.2