Last modified: 2012-10-29 18:10:15 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T36308, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 34308 - HTML/JS/XSS injection in visual editor (attribute sanitation on links)
HTML/JS/XSS injection in visual editor (attribute sanitation on links)
Status: RESOLVED FIXED
Product: VisualEditor
Classification: Unclassified
General (Other open bugs)
unspecified
All All
: High normal
: VE-deploy-2012-10-15
Assigned To: Nobody - You can work on this!
https://test.wikipedia.org/wiki/Speci...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-09 22:24 UTC by Brion Vibber
Modified: 2012-10-29 18:10 UTC (History)
8 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Brion Vibber 2012-02-09 22:24:55 UTC 
Create a new link in the visual editor. Add this text as the link target (including quotes exactly):

" onmouseover="alert(document.cookie)" alt=

When mousing over the link in the editor, you'll get an alert popup with cookie contents. Same occurs in the HTML serialization ("preview").


I notice that ve.Html.makeAttributeList() doesn't do any escaping. Changing it locally to escape the text before putting it into an attribute seems to help on the preview (HTML serialization) but not in the editor.
Comment 1 Roan Kattouw 2012-06-21 23:02:08 UTC 
This is a bug report against old code, but the new code had a similar issue. Now fixed with https://gerrit.wikimedia.org/r/#/c/12550/1
Comment 2 James Forrester 2012-10-15 22:57:55 UTC 
Mass-moving old VisualEditor tickets to the VE product. Search for this message to mass-delete bugmail.
Comment 3 James Forrester 2012-10-29 18:10:15 UTC 
Noting bugs closed in the 2012-10-15 release.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links