XSS vulnerability in option title

[AndreasPresthammer]

Reproduced in versions:
bootstrap-select 1.12.2 and latest master
bootstrap 3.3.7
jquery 3.2.1
Tested in Chrome 57

The title attribute is vulnerable to XSS attack.

An option looking like this will trigger javascript evaluation when clicked:
<option title="&lt;script&gt;alert(&#039;xss&#039;);&lt;/script&gt;">My XSS</option>

NB: You must CLICK the option to reproduce the issue.

Issue reproduced in this js fiddle: https://jsfiddle.net/mrbajggc/

Also reproduced against latest master in https://jsfiddle.net/b2q65nbe/2/ as of commit 1574419

[AntGarSil]

This is still open, observed something similar during a security assessment.

I believe the issue is in the following line

826: this.$button.attr('title', htmlUnescape($.trim(title.replace(/<[^>]*>?/g, ''))));
827: this.$button.children('.filter-option').html(title);

Line 827 is not escaping the title before adding it as child to the element. This could be fixed if escaping as in line 826

827: this.$button.children('.filter-option').html(htmlUnescape($.trim(title.replace(/<[^>]*>?/g, ''))));

[caseyjhol]

This has been fixed and released in v1.13.0!

[latuszek]

@caseyjhol Are You sure this is fixed correctly? The escaped tags are still parsed as non-escaped. <script> tag does not work, but all the others seems to work. Please see:
https://jsfiddle.net/b1dhf8ec/2/

Edit: I've created separate issue for this: #2199