On Mon, May 09, 2005 at 12:11:06PM +0200, Alexis Sukrieh wrote:
> Find attached a diff made against 2.0.15 and our last sid version.
>
> | + $text = preg_replace('#(script|about|applet|activex|chrome):#is',
> "\\1:", $text);
>
> It looks like this patch can be applied to close the bug.
Ok, based on the patch, whatever is being fixed is definitely suspected
to be a cross-site scripting issue.
It looks like this is about preventing URL's like <img
src="javascript:foo"> to be output. Since browsers are supposed to
parse the html entities before interpreting the resulting URL, this
patch seems wrong to me, it might actually work though if the affected
browsers really do not parse such html entities in advance.
Also, only rewriting specific scheme's would be dangerous as who knows
when a certain browser will actually include yet another such scheme and
start to do funny things with it. A whitelist would also be tricky
though.
I more tend to think it's a browser problem if it allows site-specified
code to be run via <a href=> and <img src=> and such, that is, outside
of <script> context.
Opinions?
--Jeroen
--
Jeroen van Wolffelaar
[EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
