allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Brondsema" <>
Subject [allura:tickets] #7947 XSS vulnerability in link rewriting
Date Mon, 10 Aug 2015 14:28:42 GMT
- **labels**: security, sf-2, sf-current --> security, sf-2


** [tickets:#7947] XSS vulnerability in link rewriting**

**Status:** closed
**Milestone:** unreleased
**Labels:** security sf-2 
**Created:** Mon Aug 03, 2015 03:43 PM UTC by Dave Brondsema
**Last Updated:** Mon Aug 03, 2015 10:06 PM UTC
**Owner:** Dave Brondsema

HTML like `[xss](http://"><a onmouseover=prompt(document.domain)>xss</a>)`
or like `'[xss](http://"><img src=x onerror=alert(document.cookie)>)'` will end up
getting parsed incorrectly and the embedded JS will run.

I've isolated this to the `RelativeLinkRewriter` class and how it uses BeautifulSoup doesn't
handle the incoming HTML (which is like `<a class="" href='http://"><img src=x onerror=alert(document.cookie)>'>xss</a>`
at this point).  BeautifulSoup 4 does handle that correctly.


Sent from because is subscribed to

To unsubscribe from further messages, a project admin can change settings at
 Or, if this is a mailing list, you can unsubscribe from the mailing list.
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message