From: Arno H. <aho...@in...> - 2000-06-03 08:00:40
|
Hi there, the new name linking scheme is vulnerable to attack. The exploit goes something like this: external links: [external | javascript:alert('you are hacked')] internal links: [internal: <script language=javascript>alert('bad stuff happens');</script>] The javascript is executed both times. This opens the doors to Javascript exploits never ending. (Actually internal links allow to include arbitrary HTML) While I favour the approach to limit the charset allowed within '[]', I guess we can get by with the following fix: left of '|': encode text with htmlspecialchars() (same goes for names in RecentChanges) right of '|': forbid links starting with 'script' or 'java' I will look further into the issue and tell you with what I can come up. While poking around I discovered that the $magic_quotes_gpc=1 bug seems to be back (this time for page names) - not sure if this is also true when using mySQL. /Arno P.S: be careful when replying to the list. Apparently the "Reply-To:" header is not set, so a simple reply just goes to the author and not to the list. Steve, can this be changed in the list settings? |