Ticket #50 (new defect)
Opened 20 months ago
Possible XSS attack vector via html attributes
| Reported by: | marten | Owned by: | somebody |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | lib | Version: | |
| Keywords: | Cc: |
Description
Currently, HTML is nicely handled in regular text output within tags, but the attribute attack vector seems to be overlooked. For instance, someone might have written:
div :id => "article-#{params[:id]}"
# Do stuff here
end
If params[:id] is now something like "\" onmouseover=\"alert('XSS')" then a malicious user might be able to perform XSS. Admittedly, this is as much an error of the application developer as it is of the markaby library, but because Markaby's default way of handling html in strings is to convert it, the chances the developer forgets to check everything go up (and the fact that this is a commonly overlooked way of exploiting doesn't help).
Note: See
TracTickets for help on using
tickets.
