Edgewall Software
Modify

Opened 21 years ago

Closed 21 years ago

Last modified 16 years ago

#983 closed defect (fixed)

onload events in wiki allows javascript execution.

Reported by: daniel Owned by: Christopher Lenz
Priority: high Milestone: 0.8.1
Component: wiki system Version: 0.8
Severity: critical Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description 

The HTML Processor doesn't allow <script> blocks, but it allows
intrinsic events (onload etc.). Renders the ban uneffective, no?

-- Martin Bialasinski

The wiki formatting code should strip event attributes.

Attachments (1)

983.patch (1.3 KB ) - added by anonymous 21 years ago.
patch to disallow script attributes

Download all attachments as: .zip

Change History (5)

by anonymous, 21 years ago

Attachment: 983.patch added

patch to disallow script attributes

comment:1 by anonymous, 21 years ago

Added 3 needless lines of code.

comment:2 by anonymous, 21 years ago

Owner: changed from Jonas Borgström to jamie
Priority: highesthigh
Severity: criticalnormal

Changing the state is various ways.

comment:3 by Christopher Lenz, 21 years ago

Milestone: 0.90.8.1
Owner: changed from jamie to Christopher Lenz
Severity: normalcritical
Status: newassigned

comment:4 by Christopher Lenz, 21 years ago

Resolution: fixed
Status: assignedclosed

Fixed in [1216], ported to stable in [1217]. Thanks for the patch!

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Christopher Lenz.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Christopher Lenz to the specified user.

Add Comment
E-mail address and name can be saved in the Preferences .
AttachmentsDescription
 
Note: See TracTickets for help on using tickets.