Opened 9 years ago

Closed 9 years ago

#1581 closed defect (fixed)

TagsPlugin vulnerable against XSS

Reported by: muelli Owned by: athomas
Priority: highest Component: TagsPlugin
Severity: critical Keywords:
Cc: Trac Release: 0.10


If you search for <u>xss</u> you will see, that special HTML characters won't be escaped. See


Although this TagsPlugin (at seems to delete <script>, others won't.

Since you can steal login data from, this is a security-issue with a high severity.

Attachments (0)

Change History (6)

comment:1 Changed 9 years ago by athomas

  • Priority changed from normal to highest

comment:2 Changed 9 years ago by athomas

  • Status changed from new to assigned

comment:3 Changed 9 years ago by athomas

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [2268]) Fix for XSS vulnerability. Closes #1581.

comment:4 Changed 9 years ago by athomas

Hi. Please try r2268 and let me know if that fixes the problem.

comment:5 Changed 9 years ago by muelli@…

  • Resolution fixed deleted
  • Status changed from closed to reopened

Hi. That was a quick response!

Actually it doesn't work for me :-\ And as I think you deployed this update here as well, you can see, that it does not work.

But following the changes, using escape should be fine. cgi.escape should be fine as well, since we don't need to escape everything (thanks to unicode :) ).

But I might have installed the plugin the wrong way :-\ One could refer to t.e.o on [TagsPlugin/Installation] for convenience.

I'll restart the webserver and reinstall the plugin and report.

Maybe others can confirm, that this bug is closed?

Since I haven't seen any working version right now, I have reopened the ticket.

comment:6 Changed 9 years ago by muelli@…

  • Resolution set to fixed
  • Status changed from reopened to closed

oh, you were right.

After restarting the webserver and deleting modules cache several times, I finally made it.

It works now. Thanks for that very quick fix!

Add Comment

Modify Ticket

as closed The owner will remain athomas.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.