[pmwiki-users] ZAP and htmlspecialchars...

Patrick R. Michaud pmichaud at pobox.com
Mon Oct 30 12:23:00 CST 2006 

On 10/22/06, The Editor <editor at fast.st> wrote:
> On 10/22/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> > > 1) If I'm using PageUpdate for all file changes, do I need to worry
> > > about using htmlspecialchars?  My assumptions is PmWiki takes care of
> > > all that for me.
> >
> > That would be an incorrect assumption.  PmWiki's built in markups
> > are okay, but if ZAP adds any markups that produce output from
> > user-contributed source data, ZAP needs to be handling htmlspecialchars.
>
> I took a stab at it, but not sure I got them right. I wouldn't even
> know what to do to test if it was working right!  : )  Do these look
> ok?
>
> Markup('select', 'inline', '/\(:select (.*?):\\)/',
>    "htmlspecialchars(\"<select name=$1>\")");

Ah.  If you're grabbing data from existing markup (e.g., 
from a capturing parentheses in the pattern of a markup rule),
then htmlspecialchars isn't needed here, because PmWiki has
already run htmlspecialchars on the markup text.

Where htmlspecialchars() is generally needed is when getting
data from another source *other* than the markup of the current page.

So, eliminating htmlspecialchars from the above give us:

    Markup('select', 'inline', 
      '/\\(:select (.*?):\\)/',
      "<select name=$1>");

However, this has some other problems.  First, all XHTML
attributes should be quoted, thus name='$1' instead of name=$1.
But more troubling is that the above invites a cross-site
scripting vulnerability if anyone can edit the page, thus:

    (:select xyz onclick='alert("Ooops!")':)

produces

    <select name=xyz onclick='alert("Ooops!")'>

and that's not a good thing, since the author can get
onclick= to do a number of undesirable operations.

> Markup('textarea', 'inline', '/\\(:textarea (.*?):\\)/e',
>    "Keep(PSS(htmlspecialchars(\"<textarea $1>\")))");
> Markup('option', 'inline', '/\\(:option (.*?):\\)/e',
>   "Keep(PSS(\"<option value='$1'>\"))");

These also have the XSS vulnerability (and don't need
htmlspecialchars, because they're drawing from markup of
the current page).

Pm

More information about the pmwiki-users mailing list