#74 feed author not escaped (possible XSS)

2.2.0
open
nobody
Interface (38)
7
2008-01-01
2008-01-01
Robert Bienert
No

The feeds author field seems to be not esacped in the article view. If we have the following (RSS) feed snippet:

<item>
<dc:creator><![CDATA[<input name="...", onclick="..."; return(true)>]]></dc:creator>
<title><![CDATA[<input name="...", onclick="..."; return(true)>]]></title>
<link><![CDATA[http://forum.de.selfhtml.org/?t=164259&m=1070395]]></link>
<pubDate>Mon, 31 Dec 2007 07:43:48 +0100</pubDate>
<category>HTML/XHTML</category>
<guid isPermaLink="true"><![CDATA[http://forum.de.selfhtml.org/?t=164259&m=1070395]]></guid>
<description><![CDATA[Hallo,<br><br>könnt ihr mir sagen was das Attribut &quot;return(true)&quot; bei einem input-Element für einen Sinn macht?<br><br>&lt;input type=&quot;submit&quot; name=&quot;${name}&quot; class=&quot;bs&quot; value=&quot;${label}&quot;<br>?| ?| ?| ?| ?| ?| ?| tabindex=&quot;1&quot; onclick=&quot;showSpan('applyButton'); return(true);&quot;/&gt;]]></description>
</item>

This produces an input field as author name as the attached screenshot shows. This may be misused for XSS (cross-site scripting) attacks.

Discussion

  • Robert Bienert
    Robert Bienert
    2008-01-01

    • priority: 5 --> 7