[pmwiki-users] Fix for cross-site scripting (XSS) in wikitrail links
ljb
ljb220 at mindspring.com
Mon Apr 3 21:11:03 CDT 2006
Using pmwiki-2.1.5:
The displayed text for links to previous and next pages in a wikitrail
are not being escaped when sent to the browser. This lets you insert
arbitrary HTML and scripts on a wiki page.
For example: Make a page "x1" with this text:
===== x1 =====
* [[x2|First link]]
* [[x3|Second link</a><script>window.alert('Hello, wiki');</script><a>]]
==============
Save the page, and click on "First link" to create page x2 with this
wikitrail markup:
===== x2 =====
<<|[[x1]]|>>
==============
Save the page. Alert popup displays whenever page "x2" is viewed.
Proposed patch:
--- scripts/trails.orig.php 2006-03-31 21:27:24.000000000 -0500
+++ scripts/trails.php 2006-04-01 15:38:49.000000000 -0500
@@ -61,7 +61,7 @@
preg_replace('/[#?].+/', '', $match[3]));
$t[$n]['depth'] = $depth = strlen($match[1]);
$t[$n]['pagename'] = $tgt;
- $t[$n]['markup'] = $match[2];
+ $t[$n]['markup'] = str_replace('<', '<', $match[2]);
$t[$n]['detail'] = $match[9];
for($i=$depth;$i<10;$i++) $d[$i]=$n;
if ($depth>1) $t[$n]['parent']=@$d[$depth-1];
More information about the pmwiki-users
mailing list