Edgewall Software

Opened 18 years ago

Closed 17 years ago

Last modified 13 years ago

#983 closed defect (fixed)

onload events in wiki allows javascript execution.

Reported by: daniel Owned by: Christopher Lenz
Priority: high Milestone: 0.8.1
Component: wiki system Version: 0.8
Severity: critical Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:


The HTML Processor doesn't allow <script> blocks, but it allows
intrinsic events (onload etc.). Renders the ban uneffective, no?

-- Martin Bialasinski

The wiki formatting code should strip event attributes.

Attachments (1)

983.patch (1.3 KB ) - added by anonymous 17 years ago.
patch to disallow script attributes

Download all attachments as: .zip

Change History (5)

by anonymous, 17 years ago

Attachment: 983.patch added

patch to disallow script attributes

comment:1 by anonymous, 17 years ago

Added 3 needless lines of code.

comment:2 by anonymous, 17 years ago

Owner: changed from Jonas Borgström to jamie
Priority: highesthigh
Severity: criticalnormal

Changing the state is various ways.

comment:3 by Christopher Lenz, 17 years ago

Owner: changed from jamie to Christopher Lenz
Severity: normalcritical
Status: newassigned

comment:4 by Christopher Lenz, 17 years ago

Resolution: fixed
Status: assignedclosed

Fixed in [1216], ported to stable in [1217]. Thanks for the patch!

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Christopher Lenz.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Christopher Lenz to the specified user.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.