pre tag attributes are not filtered by filter_html
Reported by Pierre Paysant-Le Roux | April 22nd, 2011 @ 04:54 AM
The input
<pre onclik="alert('XSS');">A pre block with onclick attribute</pre>
outputs as
<pre onclik=\"alert('XSS');\">A pre block with onclick attribute</pre>
when filter_html or filter_pba are enabled.
Here are test cases for this issue
in filter_html.yaml
name: removes onclick attribute in pre tag
in: <pre onclik="alert('XSS');">A pre block with onclick attribute</pre>
filtered_html: <pre>A pre block with onclick attribute</pre>
in filter_pba.yml
name: removes all attributes in pre tag
in: <pre class="myclass" onclik="alert('XSS');">A pre block with onclick attribute</pre>
html: <pre>A pre block with onclick attribute</pre>
The sanitize_html filter is not affected by this problem and removes the onclick attribute.
No comments found
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
RedCloth is a Ruby library for converting Textile into HTML
Pierre Paysant-Le Roux