Opened 13 years ago
Closed 13 years ago
#10114 closed defect (fixed)
The html macro does not sanitize behaviour:url in style attributes — at Version 3
| Reported by: | anonymous | Owned by: | Remy Blank |
|---|---|---|---|
| Priority: | normal | Milestone: | 0.12.3 |
| Component: | wiki system | Version: | |
| Severity: | normal | Keywords: | xss ie security |
| Cc: | Branch: | ||
| Release Notes: |
Fixed a XSS vulnerability on IE. |
||
| API Changes: | |||
| Internal Changes: | |||
Description (last modified by )
The html macro does not sanitize behaviour:url in style attributes… so the following
<div style="behavior:url(test.txt)">
could be used to potentially xss a user using IE.
The content of text.txt could be something like this:
<SCRIPTLET> <IMPLEMENTS Type="Behavior"></IMPLEMENTS> <SCRIPT Language="javascript">alert(1)</SCRIPT> </SCRIPTLET>
Source: http://heideri.ch/jso/#52
Change History (3)
comment:1 by , 13 years ago
comment:2 by , 13 years ago
| Component: | general → wiki system |
|---|---|
| Keywords: | xss added |
| Milestone: | → 0.12.3 |
| Owner: | set to |
Great, another IE failure… Thanks for the heads-up.
comment:3 by , 13 years ago
| Description: | modified (diff) |
|---|---|
| Keywords: | ie security added |
| Release Notes: | modified (diff) |
| Resolution: | → fixed |
| Status: | new → closed |
Verified with IE8, and fixed in [10680].
Note:
See TracTickets
for help on using tickets.
just commenting here so… i will get an email about this ticket .