Opened 13 years ago
Last modified 13 years ago
#10114 closed defect
The html macro does not sanitize behaviour:url in style attributes — at Initial Version
Reported by: | anonymous | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | 0.12.3 |
Component: | wiki system | Version: | |
Severity: | normal | Keywords: | xss ie security |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
The html macro does not sanitize behaviour:url in style attributes... so the following <div style="behavior:url(test.txt)"> could be used to potentially xss a user using IE[0]. The content of text.txt could be something like this: "<SCRIPTLET> <IMPLEMENTS Type="Behavior"></IMPLEMENTS> <SCRIPT Language="javascript">alert(1)</SCRIPT> </SCRIPTLET>" -- Source [0] [0] http://heideri.ch/jso/#52
Note:
See TracTickets
for help on using tickets.