Uploaded image for project: 'Hippo CMS'
  1. Hippo CMS
  2. CMS-3651

Cross-site scripting possible using IMG-tags in Xinha field

    XMLWordPrintable

Details

    Description

      Within a XInha field, the HTML can be edited directly. The XSS examples below are not correctly filtered

      Reproduction:

      • Create a new document.
      • Select html mode for a Xinha field
      • Enter one of the examples below
      • Press finished.

      Expected:
      The editor filters the script elements from the HTML

      Result:
      The editor leaves the scripts in the HTML. There is a possibility of cross-site scripting.

      ------------------
      Examples:
      ------------------
      Werkt voor nagenoeg alle browsers (IE7, FF3.5, Opera 10.10):
      <IMG SRC=""><SCRIPT>alert("Hack works!")</SCRIPT></IMG>

      Werkt onder Opera 10.10:
      <IMG SRC="javascript:alert('Hack works!');"/>

      Attachments

        1. firefox.png
          firefox.png
          21 kB
        2. ie8.png
          ie8.png
          20 kB
        3. opera.png
          opera.png
          24 kB
        4. chrome.png
          chrome.png
          21 kB
        5. stack
          4 kB

        Activity

          People

            fvlankvelt Frank van Lankvelt (Inactive)
            dennis dam Dennis Dam (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: