VDB
KO
MEDIUM 5.4

GHSA-hvqh-jw65-wcpq

devbridge-autocomplete has XSS in its default formatters: formatGroup and formatResult fail to escape HTML in untrusted inputs

Details

### Summary

The default `formatGroup` and `formatResult` functions in `devbridge-autocomplete` concatenate values into HTML without escaping, allowing XSS when an attacker controls (or can taint) the suggestion data source.

### Details

**1. `formatGroup` — `category` is interpolated raw.**

`src/format.ts`:

```ts function formatGroup(suggestion, category) { return '<div class="autocomplete-group">' + category + '</div>'; } ```

If `groupBy` is used and the grouping field of any suggestion contains HTML, that HTML is executed.

**2. `formatResult` — early-return branch returns `suggestion.value` raw.**

`src/format.ts`:

```ts function formatResult(suggestion, currentValue) { if (!currentValue) { return suggestion.value; // un-escaped } /* ... non-empty path escapes correctly ... */ } ```

The early-return branch is reached when `suggest()` renders with an empty `currentValue`, which happens with `minChars: 0` and a server that returns suggestions for an empty query. The returned string is concatenated into the container's `innerHTML`.

### PoC (formatGroup)

```html <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>PoC: formatGroup XSS in jQuery-Autocomplete v2.0.0</title> </head> <body> <input id="ac" type="text" placeholder="Type 'a' to trigger" autocomplete="off">

<script src="https://code.jquery.com/jquery-3.7.1.min.js"></script> <script src="dist/jquery.autocomplete.js"></script> <script> var poisoned = [ { value: 'Apple', data: { category: "<img src=x onerror=\"alert('XSS via formatGroup')\">" } }, { value: 'Avocado', data: { category: 'Safe Group' } } ];

$('#ac').devbridgeAutocomplete({ lookup: poisoned, groupBy: 'category', minChars: 1 }); </script> </body> </html> ```

Originally identified by an earlier human analysis; the PoC above was produced with the assistance of Claude Opus 4.7.

### Impact

XSS in pages that render attacker-controllable suggestion data. The actual impact depends on what the embedding page has access to (cookies, session tokens, DOM), per standard reflected/stored XSS.

### Patch

Both formatters now run their interpolated input through the browser's text-node escaping (`createElement` + `textContent`) before producing the HTML string. Fixed in version `2.0.1`.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / devbridge-autocomplete
Introduced in: 0 Fixed in: 2.0.1
Fix npm install devbridge-autocomplete@2.0.1

References