jquery-validation Cross-Site Scripting Vulnerability in showLabel Function

A cross-site scripting (XSS) vulnerability has been identified in the jquery-validation package, affecting versions prior to 1.20.0. The issue arises in the showLabel() function, which can be manipulated by user-controlled placeholder values. These values are inserted into messages via $.validator.messages, which can be localized by the user.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, use a version of jquery-validation prior to 1.20.0. Create a form with a required input field and a placeholder that includes a script tag. When the form is validated, the showLabel() function will use .html() to set the label content, which can lead to script execution if the message includes unescaped HTML.

Remediation

Upgrade jquery-validation to version 1.20.0 or higher. After updating, ensure to set the escapeHtml option to true in the validation configuration to mitigate the XSS risk.