[ic] Standard demo: prevent XSS on forum submission
Rick Bragg
lists at gmnet.net
Sat Nov 21 17:28:16 UTC 2009
On Thu, 2009-11-19 at 09:51 -0600, Josh Lavin wrote:
> The mv_arg parameter is not filtered when output in the page during
> forum comment submission and replies, which can allow cross-site
> scripting to be used.
>
> http://github.com/jlavin/interchange/commit/1abf12d5332b57d50843198ab9b159778c491297
>
>
> --- a/dist/standard/include/forum/reply_form
> +++ b/dist/standard/include/forum/reply_form
> @@ -1,4 +1,4 @@
> -[loop list="[data session arg]"]
> +[loop list="[data base=session field=arg filter=encode_entities]"]
> <form ACTION="[area @@MV_PAGE@@]" METHOD="GET">
> <input type=hidden name=artid VALUE="[loop-data forum artid]">
> <input type=hidden name=parent VALUE="[loop-code]">
>
> --- a/dist/standard/include/forum/submit_form
> +++ b/dist/standard/include/forum/submit_form
> @@ -4,7 +4,7 @@
> return;
> [/calc]
> [/if]
> -[loop list="[data session arg]"]
> +[loop list="[data base=session field=arg filter=encode_entities]"]
> <form ACTION="[area @@MV_PAGE@@]" METHOD="GET">
> <input TYPE="HIDDEN" NAME="artid" VALUE="[loop-data forum artid]">
> <input TYPE="HIDDEN" NAME="parent" VALUE="[loop-code]">
>
> --
> Josh Lavin
> Perusion -- Expert Interchange Consulting http://www.perusion.com/
>
Hi,
Since [data session arg] is always input from the url, maybe it should
be filtered more up-stream? That way anywhere this tag is used as is,
it would be safe. Is there a way to do that maybe in the [data] tag? or
would that be a bad idea?
Rick
--
This message has been scanned for viruses and
dangerous content by Green Mountain Network, and is
believed to be clean.
More information about the interchange-users
mailing list