Item13764: CommentPlugin should entity encode comments from guest users.

pencil
Priority: Security
Current State: Closed
Released In: 2.0.2
Target Release: patch
Applies To: Extension
Component: CommentPlugin
Branches: master
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark
Guests should not be able to insert macros or code into topics anonymously. These present a path for insertion of javascript XSS attacks into topics. This fix will entity encode all inserted text when posted by someone who is not logged in.

Action needed: Any customized CommentPlugin templates should be reviewed. If you allow guests to comment, then it is critical to change the template to prevent injection of javascript or macros in anonymous comments.

In any output templates, change encode="off" to encode="$encodeguest". The CommentPlugin will replace the token with "off" for logged in users, and "entity" for guests.

Example template change:

-%TMPL:DEF{outputoneliner}%   * %<nop>URLPARAM{"comment" encode="off"}% -- %WIKIUSERNAME% - %GMTIME{"$day $month $year"}%%TMPL:END%
+%TMPL:DEF{outputoneliner}%   * %<nop>URLPARAM{"comment" encode="$encodeguest"}% -- %WIKIUSERNAME% - %GMTIME{"$day $month $year"}%%TMPL:END%

 

ItemTemplate edit

Summary CommentPlugin should entity encode comments from guest users.
ReportedBy GeorgeClark
Codebase 2.0.1, 2.0.0
SVN Range
AppliesTo Extension
Component CommentPlugin
Priority Security
CurrentState Closed
WaitingFor
Checkins distro:852bed78e9bf
TargetRelease patch
ReleasedIn 2.0.2
CheckinsOnBranches master
trunkCheckins
masterCheckins distro:852bed78e9bf
ItemBranchCheckins
Release01x01Checkins
Topic revision: r5 - 10 Oct 2015, GeorgeClark - This page was cached on 08 Dec 2016 - 03:08.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License