Opened 13 years ago
Last modified 13 years ago
#10114 closed defect
The html macro does not sanitize behaviour:url in style attributes — at Initial Version
| Reported by: | anonymous | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | 0.12.3 |
| Component: | wiki system | Version: | |
| Severity: | normal | Keywords: | xss ie security |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
The html macro does not sanitize behaviour:url in style attributes... so the following <div style="behavior:url(test.txt)"> could be used to potentially xss a user using IE[0]. The content of text.txt could be something like this: "<SCRIPTLET> <IMPLEMENTS Type="Behavior"></IMPLEMENTS> <SCRIPT Language="javascript">alert(1)</SCRIPT> </SCRIPTLET>" -- Source [0] [0] http://heideri.ch/jso/#52
Note:
See TracTickets
for help on using tickets.
