Modify

Opened 3 years ago

Closed 2 years ago

#11593 closed defect (fixed)

Style has not been sanitized

Reported by: uchida_t@… Owned by: Mikael Relbe
Priority: normal Component: WikiExtrasPlugin
Severity: normal Keywords:
Cc: Trac Release:

Description

I input CSS Expression in box.

{{{#!box style="width:expression(alert(1));"
}}}

Output:

<div class="wikiextras box shadow" style="width:expression(alert(1));"></div>

This can used to attack xss in IE8 or older. Do you sanitize like WikiHtml(#!html)?

Attachments (1)

sanitize-attribute-r13796.diff (2.6 KB) - added by Jun Omae 3 years ago.

Download all attachments as: .zip

Change History (3)

Changed 3 years ago by Jun Omae

comment:1 Changed 3 years ago by Jun Omae

The plugin certainly should sanitize the attributes. Also, #!Color processor has the same issue.

{{{#!Color color=green font-size="expression(alert(1));"
}}}

Please try sanitize-attribute-r13796.diff.

comment:2 Changed 2 years ago by Mikael Relbe

Resolution: fixed
Status: newclosed

In 14315:

WikiExtrasPlugin 1.0dev: Sanitize macro attributes

Patch by Jun Omae, many thanks! Fixes #11593

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Mikael Relbe.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.