Docutils: Documentation Utilities / Bugs / #120 Security issue with custom roles allowing raw text

#120 Security issue with custom roles allowing raw text

Status: closed-fixed

Owner: nobody

Labels: HTML writer (9)

Priority: 5

Updated: 2009-09-10

Created: 2009-08-26

Creator: Stuart Colville

Private: No

Whilst the raw directives are controlled by the "raw_enabled" enabled option the roles aren't. Thus if someone makes use of rst on a website an attacker could use a custom role to enter arbitrary text into a page.

Here's an example:

.. role:: unsafe_raw(raw)

:unsafe_raw:`<p onclick="alert('hello')">Oh Hai (click me)</p>`

A patch is attached which adds a check to see if raw_enabled is allowed in the raw_role

Discussion

Stuart Colville - 2009-08-26

Patch against docutiils 0.5

raw_enabled_check_in_raw_role.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Stuart Colville - 2009-09-08

Update as the snippet above is incorrect it should be:

.. role:: unsafe_raw(raw)
:format: html

:unsafe_raw:`<p onclick="alert('hello')">Oh Hai (click me)</p>`

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Stuart Colville - 2009-09-08

labels: --> HTML writer
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Günter Milde - 2009-09-10

Thanks for the patch. Its applied to SVN (upcoming release 0.6)

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Günter Milde - 2009-09-10

status: open --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Security issue with custom roles allowing raw text

Searches

Help

#120 Security issue with custom roles allowing raw text

Discussion