Modify

Opened 3 years ago

Closed 3 years ago

#11593 closed defect (fixed)

Style has not been sanitized

Reported by: uchida_t@… Owned by: Mikael Relbe
Priority: normal Component: WikiExtrasPlugin
Severity: normal Keywords:
Cc: Trac Release:

Description

I input CSS Expression in box.

{{{#!box style="width:expression(alert(1));"
}}}

Output:

<div class="wikiextras box shadow" style="width:expression(alert(1));"></div>

This can used to attack xss in IE8 or older. Do you sanitize like WikiHtml(#!html)?

Attachments (1)

sanitize-attribute-r13796.diff (2.6 KB) - added by Jun Omae 3 years ago.

Download all attachments as: .zip

Change History (3)

Changed 3 years ago by Jun Omae

comment:1 Changed 3 years ago by Jun Omae

The plugin certainly should sanitize the attributes. Also, #!Color processor has the same issue.

{{{#!Color color=green font-size="expression(alert(1));"
}}}

Please try sanitize-attribute-r13796.diff.

comment:2 Changed 3 years ago by Mikael Relbe

Resolution: fixed
Status: newclosed

In 14315:

WikiExtrasPlugin 1.0dev: Sanitize macro attributes

Patch by Jun Omae, many thanks! Fixes #11593

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Mikael Relbe.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.