#1363 XSS in ::html::textarea

open
html (18)
5
2013-04-30
2013-04-30
No

When using ::html::textarea the application is prone to Cross-Site Scripting Attacks.

Example (within a CGI script):
puts [::html::textarea foo]

Inejction:
http://.../foo.cgi?foo=<payload>
where <payload> can be the URL-encoded value of any html, e.g. </textarea><script>alert(/xss/);</script>

Problem:
User input is reflected without proper HTML encoding.

Solution - example with html_entities:

proc ::html::textarea {name {param {}} {current {}}} {
::set value [ncgi::value $name $current]
return "<[string trimright \ "textarea name=\"$name\"\ [tagParam textarea $param]"]>[html_entities $value]</textarea>\n"
}

Affected Version:
http://core.tcl.tk/tcllib/artifact/665bf2f9e2de3630b78be8f4e73b7742c535ec41

Discussion

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks