Context Navigation

Modify ↓

#10114 closed defect (fixed)

Reported by:	anonymous	Owned by:	Remy Blank
Priority:	normal	Milestone:	0.12.3
Component:	wiki system	Version:
Severity:	normal	Keywords:	xss ie security
Cc:		Branch:
Release Notes:	Fixed a XSS vulnerability on IE.
API Changes:
Internal Changes:

The html macro does not sanitize behaviour:url in style attributes… so the following

<div style="behavior:url(test.txt)">

could be used to potentially xss a user using IE.

The content of text.txt could be something like this:

<SCRIPTLET>
<IMPLEMENTS Type="Behavior"></IMPLEMENTS>
<SCRIPT Language="javascript">alert(1)</SCRIPT>
</SCRIPTLET>

just commenting here so… i will get an email about this ticket .

Great, another IE failure… Thanks for the heads-up.

Verified with IE8, and fixed in [10680].

Change Properties

Summary:
Description:	The html macro does not sanitize behaviour:url in style attributes... so the following {{{ <div style="behavior:url(test.txt)"> }}} could be used to potentially xss a user using IE. The content of text.txt could be something like this: {{{ <SCRIPTLET> <IMPLEMENTS Type="Behavior"></IMPLEMENTS> <SCRIPT Language="javascript">alert(1)</SCRIPT> </SCRIPTLET> }}} Source: http://heideri.ch/jso/#52 You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:	Fixed a XSS vulnerability on IE.
API Changes:
Internal Changes:

Action

leave as closed The owner will remain Remy Blank.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Remy Blank to the specified user.

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.