Modify

Opened 6 months ago

Last modified 5 months ago

#11593 new defect

Style has not been sanitized

Reported by: uchida_t@… Owned by: mrelbe
Priority: normal Component: WikiExtrasPlugin
Severity: normal Keywords:
Cc: Trac Release:

Description

I input CSS Expression in box.

{{{#!box style="width:expression(alert(1));"
}}}

Output:

<div class="wikiextras box shadow" style="width:expression(alert(1));"></div>

This can used to attack xss in IE8 or older. Do you sanitize like WikiHtml(#!html)?

Attachments (1)

sanitize-attribute-r13796.diff (2.6 KB) - added by jun66j5 5 months ago.

Download all attachments as: .zip

Change History (2)

Changed 5 months ago by jun66j5

comment:1 Changed 5 months ago by jun66j5

The plugin certainly should sanitize the attributes. Also, #!Color processor has the same issue.

{{{#!Color color=green font-size="expression(alert(1));"
}}}

Please try sanitize-attribute-r13796.diff.

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.