[ic] Standard demo: prevent XSS on forum submission

Rick Bragg lists at gmnet.net
Sat Nov 21 17:28:16 UTC 2009


On Thu, 2009-11-19 at 09:51 -0600, Josh Lavin wrote:
> The mv_arg parameter is not filtered when output in the page during  
> forum comment submission and replies, which can allow cross-site  
> scripting to be used.
> 
> http://github.com/jlavin/interchange/commit/1abf12d5332b57d50843198ab9b159778c491297
> 
> 
> --- a/dist/standard/include/forum/reply_form
> +++ b/dist/standard/include/forum/reply_form
> @@ -1,4 +1,4 @@
> -[loop list="[data session arg]"]
> +[loop list="[data base=session field=arg filter=encode_entities]"]
>   <form ACTION="[area @@[email protected]@]" METHOD="GET">
>   <input type=hidden name=artid VALUE="[loop-data forum artid]">
>   <input type=hidden name=parent VALUE="[loop-code]">
> 
> --- a/dist/standard/include/forum/submit_form
> +++ b/dist/standard/include/forum/submit_form
> @@ -4,7 +4,7 @@
>          return;
>   [/calc]
>   [/if]
> -[loop list="[data session arg]"]
> +[loop list="[data base=session field=arg filter=encode_entities]"]
>   <form ACTION="[area @@[email protected]@]" METHOD="GET">
>   <input TYPE="HIDDEN" NAME="artid" VALUE="[loop-data forum artid]">
>   <input TYPE="HIDDEN" NAME="parent" VALUE="[loop-code]">
> 
> --
> Josh Lavin
> Perusion -- Expert Interchange Consulting    http://www.perusion.com/
> 

Hi,

Since [data session arg] is always input from the url, maybe it should
be filtered more up-stream?  That way anywhere this tag is used as is,
it would be safe.  Is there a way to do that maybe in the [data] tag? or
would that be a bad idea?

Rick




-- 
This message has been scanned for viruses and
dangerous content by Green Mountain Network, and is
believed to be clean.




More information about the interchange-users mailing list