Link and Image XSS

[GoogleCodeExporter]

What steps will reproduce the problem?

import postmarkup
postmarkup.render_bbcode('[url=<script src="...">]Attack[/url]')
postmarkup.render_bbcode('[img]<script>Attack</script>[/img]')

What is the expected output? What do you see instead?

This should yield:

u'<a href="http://%3Cscript%3E">Attack</a> [&lt;script&gt;]'
u'<img src="&lt;script&gt;foo&lt;/script&gt;"></img><div
style="display:none">&lt;script&gt;foo&lt;/script&gt;</div>'

instead, it yields:

u'<a href="http://%3Cscript%3E">Attack</a> [<script>]'
u'<img src="<script>foo</script>"></img><div
style="display:none">&lt;script&gt;foo&lt;/script&gt;</div>'

What version of the product are you using? On what operating system?

postmarkup 1.0.7

Please provide any additional information below.

I've included a possible patch for the vulnerabilities, but you may wish to
test them, as I have not tested this patch extensively.

Original issue reported on code.google.com by rlight2@gmail.com on 8 May 2008 at 11:35

Attachments:

• xss-patch-r10.diff

[GoogleCodeExporter]

Sorry, copy and pasted wrong lines from my test:

postmarkup.render_bbcode('[url=<script>Attack</script>]Attack[/url]')

yields

u'<a href="http://%3Cscript%3EAttack%3C/script%3E">Attack</a> [<script>attack<]'

Original comment by rlight2@gmail.com on 9 May 2008 at 3:06

[GoogleCodeExporter]

Fixed in SVN. Thanks/

Original comment by willmcgugan on 23 Sep 2008 at 8:30

• Changed state: Fixed