Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 0.10.1

Request #18027 script is vulnerable to XSS via use of svg/animate tags
Submitted: 2010-11-05 22:56 UTC
From: cbaxter Assigned: demrit
Status: Assigned Package: HTML_Safe (version 0.10.1)
PHP Version: Irrelevant OS:
Roadmaps: (Not assigned)    
Subscription  


 [2010-11-05 22:56 UTC] cbaxter (Chris Baxter)
Description: ------------ The script is open to XSS attacks when done using the svg/animate tags as not included in deleteTags array. Test script: --------------- <html><head></head><body> <?php $doc = '"><svg><animate attributeName=onunload to=alert(document.location) /></svg><'; require_once('HTML/Safe.php'); $parser = new HTML_Safe; $parser->clear(); $result = $parser->parse($doc); print "<br> $result"; ?></body></html> Expected result: ---------------- <html><head></head><body> <br> "></body></html> Actual result: -------------- <html><head></head><body> <br> "><svg><animate attributename="onunload" to="alert(document.location)"></animate></svg></body> </html>

Comments

 [2010-11-05 23:28 UTC] demrit (Miguel Vazquez Gocobachi)
-Status: Open +Status: Assigned -Assigned To: +Assigned To: demrit