Edgewall Software
Modify

Ticket #983 (closed defect: fixed)

Opened 8 years ago

Last modified 3 years ago

onload events in wiki allows javascript execution.

Reported by: daniel Owned by: cmlenz
Priority: high Milestone: 0.8.1
Component: wiki system Version: 0.8
Severity: critical Keywords:
Cc:
Release Notes:
API Changes:

Description 

The HTML Processor doesn't allow <script> blocks, but it allows
intrinsic events (onload etc.). Renders the ban uneffective, no?

-- Martin Bialasinski

The wiki formatting code should strip event attributes.

Attachments

983.patch (1.3 KB) - added by anonymous 7 years ago.
patch to disallow script attributes

Download all attachments as: .zip

Change History

Changed 7 years ago by anonymous

patch to disallow script attributes

comment:1 Changed 7 years ago by anonymous

Added 3 needless lines of code.

comment:2 Changed 7 years ago by anonymous

  • Owner changed from jonas to jamie
  • Priority changed from highest to high
  • Severity changed from critical to normal

Changing the state is various ways.

comment:3 Changed 7 years ago by cmlenz

  • Milestone changed from 0.9 to 0.8.1
  • Owner changed from jamie to cmlenz
  • Severity changed from normal to critical
  • Status changed from new to assigned

comment:4 Changed 7 years ago by cmlenz

  • Resolution set to fixed
  • Status changed from assigned to closed

Fixed in [1216], ported to stable in [1217]. Thanks for the patch!

View

Add a comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
The resolution will be deleted. Next status will be 'reopened'
to The owner will be changed from cmlenz. Next status will be 'closed'
Author


E-mail address and user name can be saved in the Preferences.

Attachments
 
Note: See TracTickets for help on using tickets.