Bug #20835
closed
RemoveXSS corrupts HTML
0%
Description
Try RemoveXSS on this code:
<![CDATA[ <div style="x:y">test</div> ]>
The result is:
<![CDATA[ <div <x>yle="x:y">test</div> ]>
which looks on the screen like:
yle="x:y">test
Suggestions:
- process tags and attributes separately
- change <x> to x
- do not replace first to chars but prepend "x" to the attribute
- do not replace style attribute
(issue imported from #M11649)
Files
Updated by Marcus Krause over 15 years ago
@3+4: JS could be embedded in style attributes. So there's a need to take care of "style".
Updated by Steffen Kamper about 15 years ago
look to the unit tests i committed yesterday to trunk, you'll find a lot of possible xss attacks using the style attribute.
Updated by Martin Kutschker almost 15 years ago
@Marcus: how could JS be embedded in a style attrbiute? Are you referring to MS's "dynamic properties"? If yes, wouldn't be better to remove the style attribute then to garble it?
Updated by Marcus Krause almost 15 years ago
@Martin
http://ha.ckers.org/xss.html -> search for "style"
Updated by Alexander Opitz over 11 years ago
- Category deleted (
Communication) - Status changed from New to Needs Feedback
- Target version deleted (
0)
The issue is very old, does this issue exists in newer versions of TYPO3 CMS (4.5 or 6.1)?
Updated by Alexander Opitz about 11 years ago
- Status changed from Needs Feedback to Closed
- Is Regression set to No
No feedback for over 90 days.