Dirk Stoecker

XSS issue

That's only one possibility. I have some other ideas to maybe bring files to the server as well. Didn't test them throughout as they are much more complex. But it is safe to assume that a dedicated attacker will reach that goal on any non-trivial website.

I really wonder. The main trouble between you and me is that you have in my eyes a strange understanding of methods to ensure code quality, and then you're leaving obvious security related issues open for months, even years after I provided fixes for them. That's simply not understandable at all! As I already said above your mitigation does not help. It can easily circumvented! To do so I made an exploit which bypasses the policies: http://www.isfdb.org/cgi-bin/se.cgi?arg=%3Cscript+src%3D%22%2Fw...

A third issue in this page: Index: biblio/adv_search_results.py =================================================================== --- biblio/adv_search_results.py (Revision 551) +++ biblio/adv_search_results.py (Arbeitskopie) @@ -49,7 +49,7 @@ def results(self): self.parse_parameters() - PrintHeader("Advanced %s Search" % self.search_type) + PrintHeader("Advanced %s Search" % cgi.escape(self.search_type)) PrintNavbar('adv_search_results', 0, 0, 0, 0) self.set_search_type() self.process_terms()...

Proper formatted, no double encoding Index: sources/biblio/adv_search_results.py =================================================================== --- sources/biblio/adv_search_results.py (Revision 551) +++ sources/biblio/adv_search_results.py (Arbeitskopie) @@ -49,7 +49,7 @@ def results(self): self.parse_parameters() - PrintHeader("Advanced %s Search" % self.search_type) + PrintHeader("Advanced %s Search" % cgi.escape(self.search_type)) PrintNavbar('adv_search_results', 0, 0, 0, 0) self.set_search_type()...

Try again with proper formatting? addpub.py: print '<div id="HelpBox">' addpub.py- print '<b>Help on adding new publication records: </b>' addpub.py- print '<a href="http://%s/index.php/Help:Screen:AddPublication">Help:Screen:AddPublication</a><p>' % (WIKILOC) edit/addpub.py- print '</div>' The <p> is empty and should be stripped.

HelpBox uses empty <p>, causes HTML lint violation

You're mixing two things here: 1. The issues are bugs in any case and must be fixed 2. The security issue is mitigated by the CSP rules, so that it probably is not a major vulnerability. A possible way to exploit is to get a js-File onto the server and reference it. Then the CSP rules will no longer protect. That's also why I wrote "while mitigated the issue still exists". The CSP always is only a workaround, not a fix. It should not be possible from user side to inject valid HTML into the pages...