Modify

Opened 11 years ago

Closed 10 years ago

#11593 closed defect (fixed)

Style has not been sanitized

Reported by: uchida_t@… Owned by: Mikael Relbe
Priority: normal Component: WikiExtrasPlugin
Severity: normal Keywords:
Cc: Trac Release:

Description

I input CSS Expression in box. 

{{{#!box style="width:expression(alert(1));"
}}}

Output: 

<div class="wikiextras box shadow" style="width:expression(alert(1));"></div>

This can used to attack xss in IE8 or older. Do you sanitize like WikiHtml(#!html)?

Attachments (1)

sanitize-attribute-r13796.diff (2.6 KB) - added by Jun Omae 11 years ago.

Download all attachments as: .zip

Change History (3)

Changed 11 years ago by Jun Omae

Attachment: sanitize-attribute-r13796.diff added

comment:1 Changed 11 years ago by Jun Omae

The plugin certainly should sanitize the attributes. Also, #!Color processor has the same issue. 

{{{#!Color color=green font-size="expression(alert(1));"
}}}

Please try sanitize-attribute-r13796.diff.

comment:2 Changed 10 years ago by Mikael Relbe

Resolution: fixed
Status: newclosed

In 14315:

WikiExtrasPlugin 1.0dev: Sanitize macro attributes

Patch by Jun Omae, many thanks! Fixes #11593

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Mikael Relbe.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

AttachmentsDescription
 
Note: See TracTickets for help on using tickets.