#7947 XSS vulnerability in link rewriting

v1.3.1
closed
Dave Brondsema
security (34) sf-2 (994)
General
Heith Seewald
2015-08-10
2015-08-03
Dave Brondsema
No

HTML like [xss](http://"><a onmouseover=prompt(document.domain)>xss</a>) or like '[xss](http://"><img src=x onerror=alert(document.cookie)>)' will end up getting parsed incorrectly and the embedded JS will run.

I've isolated this to the RelativeLinkRewriter class and how it uses BeautifulSoup doesn't handle the incoming HTML (which is like <a class="" href='http://"><img src=x onerror=alert(document.cookie)>'>xss</a> at this point). BeautifulSoup 4 does handle that correctly.

Related

Tickets: #7952

Discussion

  • Dave Brondsema

    Dave Brondsema - 2015-08-03
    • status: in-progress --> review
     

  • Dave Brondsema

    Dave Brondsema - 2015-08-03

    Fix on db/7947 (also a forge-classic branch)

     

  • Heith Seewald - 2015-08-03
    • Reviewer: Heith Seewald
     

  • Heith Seewald - 2015-08-03
    • status: review --> closed
     

  • Dave Brondsema

    Dave Brondsema - 2015-08-03
    • private: Yes --> No
     

  • Dave Brondsema

    Dave Brondsema - 2015-08-10
    • labels: security, sf-2, sf-current --> security, sf-2
     

  • Dave Brondsema

    Dave Brondsema - 2015-08-10
    • Milestone: unreleased --> v1.3.1
     

Log in to post a comment.