From: SourceForge.net <no...@so...> - 2009-08-26 15:33:07
|
Bugs item #2845002, was opened at 2009-08-26 15:33 Message generated for change (Tracker Item Submitted) made by muffinresearch You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=422030&aid=2845002&group_id=38414 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Stuart Colville (muffinresearch) Assigned to: Nobody/Anonymous (nobody) Summary: Security issue with custom roles allowing raw text Initial Comment: Whilst the raw directives are controlled by the "raw_enabled" enabled option the roles aren't. Thus if someone makes use of rst on a website an attacker could use a custom role to enter arbitrary text into a page. Here's an example: .. role:: unsafe_raw(raw) :unsafe_raw:`<p onclick="alert('hello')">Oh Hai (click me)</p>` A patch is attached which adds a check to see if raw_enabled is allowed in the raw_role ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=422030&aid=2845002&group_id=38414 |