comments don't get sanitized
Reported by Heiko Webers | October 8th, 2008 @ 05:54 AM
RedCloth.new("<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->", [:sanitize_html]).to_html
renders
"<p><!--[if gte IE 4]>alert('XSS');<![endif]--></p>"
According to the XSS CheatSheet this works in some browsers: http://ha.ckers.org/xss.html
Comments and changes to this ticket
-
steve.pinkham (at gmail) February 24th, 2009 @ 12:38 AM
This bug is invalid.
The conditional comment isn't a security problem, the script tag is the security problem, and that is filtered out. The conditional comment is only there to try to slip the script tag past a filter in a way the filter might think it's harmless, and yet have it execute on the browser.
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
RedCloth is a Ruby library for converting Textile into HTML
Heiko Webers