New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stored XSS in v2.1-rc1 #456
Comments
|
Hi @We5ter Thanks for reporting. But there is no sound defence against that, as far as I can see. It is absolutely necessary that javascript embedded into entries gets executed, as that enables a broad range of use cases for writing better articles - think charts, for example. We could now escape the js only when an admin is logged in, but then he would no longer realize what happens on the blog. If you are in a multi-user blog, consider installing the serendipity_event_xsstrust plugin. With it you can define which users get the ability to post html in entries. |
|
@onli Thank you for your quickly reply. As you said,I have installed serendipity_event_xsstrust plugin and set value to "3"(plugin say this mean banned),but from this pugin description,this plugin just shows all authors with their ethic value,but cannot stop users get the ability to post html in entries. And,I suggest: As a rich text editor,other cms also allow inject html/js in entries,so I think serendipity should use CSP or httponly or filter user's input using Regular Expression |
|
Oh, that looks like a valid bug in htmlpurifier! I will try out whether the current version of that fixes it. |
|
@onli Thank you for your hard work! |
|
There is still an issue, but you installed the wrong plugin. You installed serendipity_plugin_xsstrust, the sidebar plugin that only shows the values. You'd need the serendipity_event_xsstrust plugin, which comes in the archive, but is in the other plugin menu tab. Note that it is broken in current s9y versions. The fix: Change L96 from to That plugin allows you to filter html completely, and that is one solution. However, that means really completely, even the output from markup plugins is fixed, which maybe should be optional. That is supposed to be better with htmlpurifier. Enabling the htmlpurifier option in there should filter out the script options. But it does not work for me. It seems that the purifier is not being run, and it seems like it does not matter whether it is the current or the bundled version. @garvinhicking, sorry to ping you again, but I'm stumped here. |
|
@onli It seems that I have installed wrong plugin indeed... |
|
@onli That's bad :-D I fixed it, it checked for the wrong parameter, obviously we no longer seem to propagate $eventData['authorid'] in the presave entry hook, so I now use the currently logged in user for that. |
|
@We5ter Does that fix it for you? |
|
@onli It seems @garvinhicking has fixed that plugin,so this issue has been fixed yet. |
|
@onli @garvinhicking Thank you for your hard work. |
|
Then I'll close here. Thanks for the report. It was a real bug after all. |

1.create a standard editor named "test",

2.write a new entry
<img src=1 onerror=alert(1)>3.then post this entry,when admin view it ,XSS occur!
The text was updated successfully, but these errors were encountered: