dcwatson
commented
11 years ago FYI, I just bumped the version to 1.0.9 and pushed it to PyPi. Thanks for the report.
Closed slav0nic closed 11 years ago
dcwatson
commented
11 years ago FYI, I just bumped the version to 1.0.9 and pushed it to PyPi. Thanks for the report.
slav0nic
commented
11 years ago np, but i find new bug https://github.com/dcwatson/bbcode/commit/116cb2067003e6c6f679ed3a34e9e00a97a332cf#commitcomment-2807750 :]
planed migrate dajngobb from postmarkup to u lib
dcwatson
commented
11 years ago That's not a bug, it's just how the parser works. See my followup comment. You can quote the URL if it has spaces, but I doubt this will be much of an issue in practice. Browsers escape spaces for you (if you copy them), URLs don't tend to have spaces in them, and who types out URLs? :)
Glad to hear you're using my code!
slav0nic
commented
11 years ago ok, tnx) postmarkup do this in other way but u right
Pitmairen
commented
10 years ago This is still an issue.
These still work:
[url]javascript:alert('XSS');[/url]
[url]http://google.com?[url] onmousemove=javascript:alert(String.fromCharCode(88,83,83));//[/url][/url]
http://www.google.com"onmousemove="alert('XSS');"com
FYI, I added a couple more XSS fixes to the url tag and default linker that should address those examples.
slav0nic
commented
10 years ago [URL=data:text/html;base64,PHNjcmlwdD5hbGVydCgiMSIpOzwvc2NyaXB0Pg==]sdfsdf[/URL]
another passive xss ;)
dcwatson
commented
10 years ago Fixed in e23f5ae9f9e42a9988a52b8b39815593c264f3ce
Solution: escaping more symbols like ", '. All returned html values between tags must be escaped.
check as this done in django for example https://github.com/django/django/blob/master/django/utils/html.py#L39