#6 ✓resolved

Possible XSS Security flaw with lines that begin with white space.

Reported by VirtualFunction | June 26th, 2008 @ 11:26 PM | in 4.0

It appears that lines that start with white space do not get treated correctly by the scanner and thus get ignored by the scanner.

While this is probably not a major issue, it does mean that lines that have white space don't get formatted. In the case of a public site, such as a Wiki this poses to be a potential security flaw as dangerous tags such as

The attached file contains an example.

Comments and changes to this ticket

  • VirtualFunction

    VirtualFunction June 26th, 2008 @ 11:31 PM

    Oh and this attachment has results, not that you need them as the current master branch will yield the same results as attached.

  • Jason Garber

    Jason Garber June 27th, 2008 @ 01:36 PM

    • State changed from “new” to “open”
    • Tag set to filter_html, sanitize_html

    Oops. I deleted the attachment by mistake. I remember it though.

    Working on a fix...

  • Jason Garber

    Jason Garber July 7th, 2008 @ 03:03 PM

    • State changed from “open” to “resolved”

    I believe I have fixed this in a series of commits 12cf8eb..1d06a6c Actually, I was handling lines beginning with white space wrongly anyway. But I have fixed the XSS flaw in all the other structures as well.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

RedCloth is a Ruby library for converting Textile into HTML

Shared Ticket Bins

People watching this ticket


Referenced by