#120 Security issue with custom roles allowing raw text

closed-fixed
nobody
HTML writer (6)
5
2009-09-10
2009-08-26
Stuart Colville
No

Whilst the raw directives are controlled by the "raw_enabled" enabled option the roles aren't. Thus if someone makes use of rst on a website an attacker could use a custom role to enter arbitrary text into a page.

Here's an example:

.. role:: unsafe_raw(raw)

:unsafe_raw:`<p onclick="alert('hello')">Oh Hai (click me)</p>`

A patch is attached which adds a check to see if raw_enabled is allowed in the raw_role

Discussion

  • Update as the snippet above is incorrect it should be:

    .. role:: unsafe_raw(raw)
    :format: html

    :unsafe_raw:`<p onclick="alert('hello')">Oh Hai (click me)</p>`

     
    • labels: --> HTML writer
     
  • Günter Milde
    Günter Milde
    2009-09-10

    Thanks for the patch. Its applied to SVN (upcoming release 0.6)

     
  • Günter Milde
    Günter Milde
    2009-09-10

    • status: open --> closed-fixed