#69 new
Heiko Webers

comments don't get sanitized

Reported by Heiko Webers | October 8th, 2008 @ 05:54 AM

RedCloth.new("<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->", [:sanitize_html]).to_html


"<p><!--[if gte IE 4]>alert('XSS');<![endif]--></p>"

According to the XSS CheatSheet this works in some browsers: http://ha.ckers.org/xss.html

Comments and changes to this ticket

  • steve.pinkham (at gmail)

    steve.pinkham (at gmail) February 24th, 2009 @ 12:38 AM

    This bug is invalid.

    The conditional comment isn't a security problem, the script tag is the security problem, and that is filtered out. The conditional comment is only there to try to slip the script tag past a filter in a way the filter might think it's harmless, and yet have it execute on the browser.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

RedCloth is a Ruby library for converting Textile into HTML

Shared Ticket Bins

People watching this ticket