| Package home | Report new bug | New search | Development Roadmap | Status: Open | Feedback | All | Closed Since Version 0.2.0 |
| Bug #16701 | XSS with Tables possible | ||
|---|---|---|---|
| Submitted: | 2009-10-15 15:15 UTC | ||
| From: | jurik | Assigned: | |
| Status: | Open | Package: | Text_Wiki_Mediawiki (version 0.2.0) |
| PHP Version: | 5.2.5 | OS: | Linux |
| Roadmaps: | (Not assigned) | ||
[2009-10-15 15:15 UTC] jurik
(Juri Kuehn)
Description:
------------
One can inject javascript code in table definitions.
Our resolution:
in Parse/Mediawiki/Table.php
-----------------------
--- add code ---
/**
* Remove all bogus formatting
* Allowed are key="value" pairs only
*
* @param string $format
* @return string
*/
private function _cleanupFormat($format)
{
$validAttrs = array();
// regex pitch: (\w) = ["'] (.*) ["']
if (preg_match_all('/\s*(\w+)\s*=\s*(["\'])(.*)\\2/U', $format, $matches)) {
for ($i = 0; $i < count($matches[0]); $i++) {
$validAttrs[] = $matches[1][$i] . '="' . htmlspecialchars($matches[3][$i], ENT_QUOTES) . '"';
}
}
return implode(' ', $validAttrs);
}
----------------------
--- around line 170 replace with ---
if ($format = trim($matches[1])) {
$param['format'] = $this->_cleanupFormat($format);
}
---
Test script:
---------------
You can try to render this snippet:
{| ><script>alert('gotcha!');</script
|}
Actual result:
--------------
javascript gets executed