| Package home | Report new bug | New search | Development Roadmap | Status: Open | Feedback | All | Closed Since Version 1.2.3 |
| Bug #7847 | raw markup rule allows XSS | ||
|---|---|---|---|
| Submitted: | 2006-06-09 11:36 UTC | ||
| From: | michael at liquidbytes dot net | Assigned: | justinpatrin |
| Status: | Closed | Package: | Text_Wiki (version 1.1.0) |
| PHP Version: | Irrelevant | OS: | Linux |
| Roadmaps: | (Not assigned) | ||
[2006-06-09 11:36 UTC] michael at liquidbytes dot net
(Michael Mayer)
Description:
------------
The raw markup rule is a very simple way to inject any html code to a wiki page (even if the html rule is disabled!).
I found this in the Text_Wiki documentation about the html rule:
----
Warning: This very powerful rule is disabled by default. If you enable it, be careful; you will be working with "real" HTML within the block, and as such can include JavaScript or other possibly malicious code.
----
So, why can't I find the same warning for the raw markup rule?
You should find a way to fix it ASAP! I quick fix is to disable this rule, but that will brake any "Editing Help" or "Sample" pages, which is fatal.
Test script:
---------------
``<script type="text/javascript">window.open('http://www.heise.de', 'xss');</script>``
Expected result:
----------------
<script type="text/javascript">window.open('http://www.heise.de', 'xss');
Actual result:
--------------
The code doesn't show to the user but opens a new window!
Comments
[2006-06-09 21:32 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send MANUAL CONFIRMATION IS NOT POSSIBLE. Write a message to pear-dev@lists.php.net to request the confirmation link. All bugs/comments/patches associated with this email address will be deleted within 48 hours if the account request is not confirmed!