XSS scripting attack possible from html wikiprocessor
|Reported by:||Owned by:||Christopher Lenz|
Using the html WikiProcessor, it's possible to inject a malicious script (for example, a cookie-stealing attack) against other clients viewing the page with IE or Opera (and possibly other browsers).
As an example of this Cross-Site Scripting (XSS) attack, consider the following:
Trac has done a decent job about filtering the more obvious of these in the html WikiProcessor (e.g. Trac disallows the <script> tag), but overly-permissive browsers make this a much tricker problem.
For more information about some other possible XSS vectors, see http://ha.ckers.org/xss.html
Change History (7)
comment:3 by , 15 years ago
|Summary:||XSS scripting attack possible from html wikiprocessor → clarifications after anonymous comments.|
comment:4 by , 15 years ago
|Summary:||clarifications after anonymous comments. → XSS scriptingattack possible from html wikiprocessor|
comment:5 by , 15 years ago
|Priority:||normal → high|
|Status:||new → assigned|