#7947 XSS vulnerability in link rewriting

v1.3.1
closed
General
Heith Seewald
2015-08-10
2015-08-03
No

HTML like [xss](http://"><a onmouseover=prompt(document.domain)>xss</a>) or like '[xss](http://"><img src=x onerror=alert(document.cookie)>)' will end up getting parsed incorrectly and the embedded JS will run.

I've isolated this to the RelativeLinkRewriter class and how it uses BeautifulSoup doesn't handle the incoming HTML (which is like <a class="" href='http://"><img src=x onerror=alert(document.cookie)>'>xss</a> at this point). BeautifulSoup 4 does handle that correctly.

Related

Tickets: #7952

Discussion

  • Dave Brondsema

    Dave Brondsema - 2015-08-03
    • status: in-progress --> review
     
  • Dave Brondsema

    Dave Brondsema - 2015-08-03

    Fix on db/7947 (also a forge-classic branch)

     
  • Heith Seewald

    Heith Seewald - 2015-08-03
    • Reviewer: Heith Seewald
     
  • Heith Seewald

    Heith Seewald - 2015-08-03
    • status: review --> closed
     
  • Dave Brondsema

    Dave Brondsema - 2015-08-03
    • private: Yes --> No
     
  • Dave Brondsema

    Dave Brondsema - 2015-08-10
    • labels: security, sf-2, sf-current --> security, sf-2
     
  • Dave Brondsema

    Dave Brondsema - 2015-08-10
    • Milestone: unreleased --> v1.3.1
     

Log in to post a comment.