Apache Allura™

Forge software for hosting software projects

Brought to you by: alexluberg, brondsem, ccruz, deshani, and 11 others

#989 html pass-through security issue?

Milestone: v1.0.0

Status: closed

Owner: nobody

Labels: None

Component: General

Reviewer: nobody

Updated: 2015-08-20

Created: 2010-09-30

Creator: Dave Brondsema

Private: No

Some raw HTML can be passed through (although <script> is scrubbed, good). But you might still have something like an innocent link that users click on.

Discussion

Dave Brondsema - 2010-09-30

Actually maybe not as important, since currently those javascript: links render as href="../javascript:alert()"

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Mark Ramm - 2010-10-01

We're using the scrubber from FeedParser, which has become the scrubber in htmllib, so i'm pretty confident that it catches most everything you could do.

http://www.feedparser.org/docs/html-sanitization.html

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Mark Ramm - 2010-10-01

status: open --> closed

milestone: --> GA9
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Apache Allura™

Forge software for hosting software projects

Milestone

Searches

Help

#989 html pass-through security issue?

Discussion