Bug #967

JS Comments security (XSS)

Added by nikanorov-gmail-com - 1101 days ago. Updated 789 days ago.

Status :Closed Start :
Priority :Urgent Due date :
Assigned to :scott - % Done :

0%
Category :frontend
Target version :2.5
Resolution :

fixed

Description

Why when I add comment like
---comment----
<script>
alert ("Typo sucks!");
</script>
---comment----

it works? Are you kidding?

History

11/26/2005 04:28 PM - nikanorov-gmail-com -

11/26/2005 04:46 PM - nikanorov-gmail-com -

Same thing on dev box. Not textdrive problem.

11/26/2005 06:20 PM - nikanorov-gmail-com -

Ugly temp patch:

===================================================================
--- app/models/comment.rb       (revision 759)
+++ app/models/comment.rb       (working copy)
@@ -30,6 +30,6 @@

   def make_nofollow
     self.author = nofollowify(author)
-    self.body_html = nofollowify(body_html.to_s)
+    self.body_html = nofollowify(strip_html(body_html.to_s))
   end
 end

11/27/2005 12:41 AM - Redmine Admin

nikanorov - you can actually reproduce at blog.leetsoft.com except it does the same thing my blog does, which is it turns " into an entity, so the alert() is no longer valid, but other tricks would work.

11/27/2005 05:19 AM - edavis10-gmail-com -

I can also reproduce on my installs. The patch does fix the issue but it is still valid if the user clicks preview. I don't know how critical the Preview part would be (i.e. could it 'DROP * FROM xxxx' ?).

Pre-patch Rake passed all tests.
Post-patch Rake failed 3 tests, 2 related to Spam and one related to the Textile (stripping the tags).

11/27/2005 05:40 AM - nikanorov-gmail-com -

>The patch does fix the issue

Strange. I also test this: http://cvs.wackowiki.com/wsvn/repo/trunk/safehtml/tests/testcases2.txt?op=file&rev=0&sc=0

>Post-patch Rake failed 3 tests, 2 related to Spam and one related to the Textile (stripping the tags).

That's why it's ugly temp patch =)

11/27/2005 07:57 AM - nikanorov-gmail-com -

>The patch does fix the issue but it is still valid if the user clicks preview.

Sorry, same thing. But I it's minor.

>i.e. could it 'DROP * FROM xxxx' ?
Could not.

11/28/2005 12:58 PM - scott -

  • Status changed from New to Assigned

I'm still unpacking, but I'll try to get to this as soon as possible. The temp patch should be okay, although I'll probably do it a bit differently.

12/03/2005 04:46 PM - scott -

  • Status changed from Assigned to Closed
  • Resolution set to fixed

(In r763) Really, really strip Javascript from comments. Closes #551

02/20/2006 07:06 PM - otto-atrus-org -

  • Status changed from Closed to Feedback
  • Resolution deleted (fixed)

Sadly this doesn't fix the problem because sanitize isn't rigorous enough :( I filed a ticket against rails, but thought I'd mention it here ... Until it's fixed, I recommend using escapehtml(html) or ActionView::Helpers::TextHelper.strip_tags(html) . I'm marking the ticket as re-opened for now. Depending on the RoR response it might be appropriate to just close it again.

07/06/2006 02:42 PM - scott -

  • Status changed from Feedback to Closed
  • Resolution set to fixed

(In r1077) Greatly improved XSS filtering for comments. Closes #551

Also available in: Atom PDF