#240 HTML templates: possible XSS attack


Template.pm allows insertion of current file path in header or footer page area through $pathname substitution variable. This current file path is inserted "as is", without check for "dangerous" characters such as < > &, allowing arbitrary HTML code insertion through a carefully crafted path.

Presently, no shipping template uses this substitution variable. Moreover, routine clean_path (called during initialisation) purges from the path name any character outside a very restricted set (the offending characters are thus removed). Consequently, probability of bad behaving HTML or XSS is very low. However, restrictions on file names may be relaxed; better be strict.

Implement a new template expanding function to HTML-protect characters < > &.

Note: CVS shows that this potential bug is present from the beginning (releases 0.8 to 1.2.0!) despite character filtering.


  • Andre-Littoz

    Andre-Littoz - 2013-09-24

    Fixed in CVS

  • Andre-Littoz

    Andre-Littoz - 2013-09-24
    • status: open --> closed-fixed

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks