| Package home | Report new bug | New search | Development Roadmap | Status: Open | Feedback | All | Closed Since Version 0.10.1 |
| Request #18027 | script is vulnerable to XSS via use of svg/animate tags | ||
|---|---|---|---|
| Submitted: | 2010-11-05 22:56 UTC | ||
| From: | cbaxter | Assigned: | demrit |
| Status: | Assigned | Package: | HTML_Safe (version 0.10.1) |
| PHP Version: | Irrelevant | OS: | |
| Roadmaps: | (Not assigned) | ||
[2010-11-05 22:56 UTC] cbaxter
(Chris Baxter)
Description:
------------
The script is open to XSS attacks when done using the
svg/animate tags as not included in deleteTags array.
Test script:
---------------
<html><head></head><body>
<?php
$doc = '"><svg><animate attributeName=onunload to=alert(document.location) /></svg><';
require_once('HTML/Safe.php');
$parser = new HTML_Safe;
$parser->clear();
$result = $parser->parse($doc);
print "<br> $result";
?></body></html>
Expected result:
----------------
<html><head></head><body>
<br> "></body></html>
Actual result:
--------------
<html><head></head><body>
<br> "><svg><animate attributename="onunload"
to="alert(document.location)"></animate></svg></body>
</html>
Comments
[2010-11-05 23:28 UTC] demrit
(Miguel Vazquez Gocobachi)
-Status: Open
+Status: Assigned
-Assigned To:
+Assigned To: demrit