#10113 closed defect (worksforme)
use of the html comment macro can be used to xss firefox 3.6 users
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | wiki system | Version: | |
| Severity: | normal | Keywords: | needinfo |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
use of the html comment macro can be used to xss firefox 3.6 users e.g.
Attachments (0)
Change History (8)
comment:1 by , 14 years ago
comment:2 by , 14 years ago
| Component: | general → wiki system |
|---|---|
| Keywords: | needinfo added |
I don't see how this can work. The end of an HTML comment is given by the sequence -->, and we disallow the sequence -- in #!htmlcomment blocks. The block you pasted in the description of this ticket doesn't trigger anything here (Firefox 3.6.15).
Could you please explain how to reproduce the issue?
comment:4 by , 14 years ago
No, the snippet is there in the source (it is also in this page) but no execution. Could this be due to a Firefox plugin that you have installed?
comment:5 by , 14 years ago
Weird, see this and the opera issue I reported I didn't test. I did test the IE issue. I have previously tested <-- > against firefox3.6 - I will re-test it again(it worked before mmhmmm maybe my memory is funny :P ).
comment:6 by , 14 years ago
Yeah ok. So this in html works against firefox 3.6.16. <html> <body> <!-- %- - > <script>alert(1);</script> </html> However, in the htmlcomment macro it comes out like this <!-- %- - > <script>alert(1);</script> --> and it doesn't work.
comment:7 by , 14 years ago
| Resolution: | → worksforme |
|---|---|
| Status: | new → closed |
So there's no immediate danger, then. Please re-open if you can find a combination that works.
erh … it removed it :/
{{{ #!htmlcomment ohmy % > ohoh<script>alert(1);</script> }}}