Opened 17 years ago
Closed 17 years ago
#1581 closed defect (fixed)
TagsPlugin vulnerable against XSS
| Reported by: | muelli | Owned by: | Alec Thomas |
|---|---|---|---|
| Priority: | highest | Component: | TagsPlugin |
| Severity: | critical | Keywords: | |
| Cc: | Trac Release: | 0.10 |
Description
If you search for <u>xss</u> you will see, that special HTML characters won't be escaped. See
- http://www.trac-hacks.org/tags?e=athomas%3Cu%3Exss
- http://www.trac-hacks.org/tags?e=%3Cscript%3Ealert%28document.cookie%3B%3C%2Fscript%3E
and
Although this TagsPlugin (at trac-hacks.org) seems to delete <script>, others won't.
Since you can steal login data from, this is a security-issue with a high severity.
Attachments (0)
Change History (6)
comment:1 Changed 17 years ago by
| Priority: | normal → highest |
|---|
comment:2 Changed 17 years ago by
| Status: | new → assigned |
|---|
comment:3 Changed 17 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
comment:5 Changed 17 years ago by
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
Hi. That was a quick response!
Actually it doesn't work for me :-\ And as I think you deployed this update here as well, you can see, that it does not work.
But following the changes, using escape should be fine. cgi.escape should be fine as well, since we don't need to escape everything (thanks to unicode :) ).
But I might have installed the plugin the wrong way :-\ One could refer to t.e.o on [TagsPlugin/Installation] for convenience.
I'll restart the webserver and reinstall the plugin and report.
Maybe others can confirm, that this bug is closed?
Since I haven't seen any working version right now, I have reopened the ticket.
comment:6 Changed 17 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
oh, you were right.
After restarting the webserver and deleting modules cache several times, I finally made it.
It works now. Thanks for that very quick fix!
(In [2268]) Fix for XSS vulnerability. Closes #1581.