Page MenuHomePhabricator
Create Task
Maniphest T8577

Limited HTML attribute injection in 1.7 rc
Closed, ResolvedPublic
Actions

Description

Author: nickpj

Description:

Doing a fuzz stress test of 1.7 rc, found one limited HTML attribute injection:

#*; <pre dir=mailto:,,,,fffffff}}TOC||[[x|y]]&#x22;&#x0A;-------<cite>

HTML result:

<ul><li><ul><li><ol><li><ul><li><ul><li><ul><li><dl><dt> <pre
dir="mailto:,,,,fffffff}}TOC||[[x|y]]&quot;
</dt></dl>
</li></ul>
</li></ul>
</li></ul>
</li></ol>
</li></ul>
</li></ul>

<p>-------&lt;cite">

(i.e. the </dt>, </dl>, </li>, </ul>, </ol>, <p> tags are injected). Also
generates a Tidy error.

P.s. My gut suspicion is that we're approaching the last of the injectable stuff
using the Parser.

Version: 1.7.x
Severity: normal

Details

Reference
bz6577

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:20 PM
bzimport added a project: MediaWiki-Parser.
bzimport set Reference to bz6577.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Jul 7 2006, 1:40 AM
brion added a comment.Jul 7 2006, 4:47 AM

Fixed at r15399 on trunk, r15400 on REL1_7 branch.

Shouldn't affect 1.6, if I understand the issue properly.
(Though extensions could have similar problems.)

bzimport added a comment.Jul 7 2006, 5:01 AM

nickpj wrote:

Thank you!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL