Modify

Opened 10 months ago

Closed 13 days ago

#11593 closed defect (fixed)

Style has not been sanitized

Reported by: uchida_t@… Owned by: mrelbe
Priority: normal Component: WikiExtrasPlugin
Severity: normal Keywords:
Cc: Trac Release:

Description

I input CSS Expression in box.

{{{#!box style="width:expression(alert(1));"
}}}

Output:

<div class="wikiextras box shadow" style="width:expression(alert(1));"></div>

This can used to attack xss in IE8 or older. Do you sanitize like WikiHtml(#!html)?

Attachments (1)

sanitize-attribute-r13796.diff (2.6 KB) - added by jun66j5 9 months ago.

Download all attachments as: .zip

Change History (3)

Changed 9 months ago by jun66j5

comment:1 Changed 9 months ago by jun66j5

The plugin certainly should sanitize the attributes. Also, #!Color processor has the same issue.

{{{#!Color color=green font-size="expression(alert(1));"
}}}

Please try sanitize-attribute-r13796.diff.

comment:2 Changed 13 days ago by mrelbe

  • Resolution set to fixed
  • Status changed from new to closed

In 14315:

WikiExtrasPlugin 1.0dev: Sanitize macro attributes

Patch by Jun Omae, many thanks! Fixes #11593

Add Comment

Modify Ticket

Action
as closed The owner will remain mrelbe.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.