Closed amlwwalker closed 10 years ago
Well, if you enable editing in config.php
and then place Wikitten on a public server, without any kind of additional protection (like HTTP authorization), of course you are going to be in trouble.
Its more that it accepts <!script!> tags etc to be put into the page without any encoding or protection against direct javascript injection. Its a case of checking what is being added to the page and removing <!script!> <!scri<!script!>pt> <!sCrIpt!> etc etc tags and replacing them with safe encoded equivelents...
EDIT: Notice I had to add the ! to my script tags here as github wont allow them to be put on a page - a crude but effective protection against the same thing.
The wiki pages are vulnerable to javascript injection. Putting this on a page is risky.
can a routine be run on "Saving changes" to check for and encode any script tags in the wiki are protected against?