XSS vulnerability Fri, 10 Apr 2026 13:09:14 +0000 https://bugs.horde.org/ticket/8715 XSS vulnerability . . Wed, 18 Nov 2009 06:48:28 +0000 https://bugs.horde.org/ticket/8715#t56769 How about this? How about this? Tue, 24 Nov 2009 05:17:35 +0000 https://bugs.horde.org/ticket/8715#t56829 Attachments are not private anyway. :) Your patch seems t Attachments are not private anyway. :) Your patch seems to do its job, attached is a test case. I'm not sure how far Firefox can be tricked to consider a link as a data scheme. I'm thinking of variants of "data:text/html". Tue, 24 Nov 2009 23:39:37 +0000 https://bugs.horde.org/ticket/8715#t56840 Don't forget about other content types. For example, if the Don't forget about other content types. For example, if the data is the base64 encoding of: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <!--a75c305b1c0a6022--><title>Test</title> </head> <body> <script type="text/javascript">alert(document.cookie)</script> </body> </html> Then, the attacker can also use a link with the following URI: data:application/xhtml+xml;base64,<encoding of above> And this is not the only one. If the use the content types text/xml or application/xml, the page will be parsed as a xml document. In the script, document has now type XMLDocument, and doesn't have the property cookie. We can still write something like: <script type="text/javascript"> if (undefined === document.cookie) window.location.replace(window.location.href.replace("text/xml", "application/xhtml+xml")) else alert(document.cookie) </script> The same for application/xml, or more elaborate code to take care of various cases. I just tested this four cases, text/html, text/xml, application/xml, application/xhtml+xml and I don't know if there are others. I don't have a better suggestion for you, so I just leave the comment that blacklisting can be dangerous. Thank you for your time. > Attachments are not private anyway. :) > > Your patch seems to do its job, attached is a test case. > > I'm not sure how far Firefox can be tricked to consider a link as a > data scheme. I'm thinking of variants of "data:text/html". Wed, 25 Nov 2009 13:20:45 +0000 https://bugs.horde.org/ticket/8715#t56847 > I don't have a better suggestion for you, so I just leave > I don't have a better suggestion for you, so I just leave the comment > that blacklisting can be dangerous. Of course attempting to blacklist HTML attributes/elements to fix all security issues is dangerous. That is why we disable HTML inline viewing by default. But a large portion of users want/need this inline display and are willing to view these parts even with the understanding that the filtering may not be 100% accurate. That being said, thanks for your examples. It is clear that we need to filter *any* data information contained in the href parameter. I'm going to go ahead and add this to git and CVS FW_3. Will leave this ticket open for a few days for additional feedback. Thu, 26 Nov 2009 00:24:07 +0000 https://bugs.horde.org/ticket/8715#t56868 Changes have been made in Git for this ticket: Bug #8715: F Changes have been made in Git for this ticket: Bug #8715: Fix XSS vulnerability. create mode 100644 framework/Text_Filter/test/Horde/Text/Filter/fixtures/xss96.html http://git.horde.org/diff.php/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php?rt=horde-git&r1=b985abda1822ab9fde68d9e4dc7dcd16b6d6ebbc&r2=14d802ae6bf6ae4e7d8721deeb3fd7ffab66a97a http://git.horde.org/diff.php/framework/Text_Filter/package.xml?rt=horde-git&r1=f40aebaffdde11d95282b77c9ca7018cffcb61dd&r2=14d802ae6bf6ae4e7d8721deeb3fd7ffab66a97a http://git.horde.org/co.php/framework/Text_Filter/test/Horde/Text/Filter/fixtures/xss96.html?rt=horde-git&r=14d802ae6bf6ae4e7d8721deeb3fd7ffab66a97a http://git.horde.org/diff.php/framework/Text_Filter/test/Horde/Text/Filter/xss.phpt?rt=horde-git&r1=8459795203b644a096720099c4f22d4cdc39dc49&r2=14d802ae6bf6ae4e7d8721deeb3fd7ffab66a97a Thu, 26 Nov 2009 00:28:32 +0000 https://bugs.horde.org/ticket/8715#t56869 Changes have been made in CVS for this ticket: Bug: 8715 ch Changes have been made in CVS for this ticket: Bug: 8715 changelog http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&r1=1.1288&r2=1.1289&ty=u Thu, 26 Nov 2009 00:35:31 +0000 https://bugs.horde.org/ticket/8715#t56870 Changes have been made in CVS for this ticket: Bug: 8715 Fi Changes have been made in CVS for this ticket: Bug: 8715 Fix XSS vulnerability. http://cvs.horde.org/diff.php/framework/Text_Filter/Filter/Attic/xss.php?rt=horde&r1=1.1.2.18&r2=1.1.2.19&ty=u http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&r1=1.515.2.583&r2=1.515.2.584&ty=u Thu, 26 Nov 2009 00:38:42 +0000 https://bugs.horde.org/ticket/8715#t56871 Hi, Attached a patch in case the link has two hrefs with Hi, Attached a patch in case the link has two hrefs with data URLs Mon, 19 Apr 2010 16:18:41 +0000 https://bugs.horde.org/ticket/8715#t58572 > Hi, > > Attached a patch in case the link has two hrefs > Hi, > > Attached a patch in case the link has two hrefs with data URLs This patch is not working for all cases, but this new version of the patch it's working, at least for me. Mon, 19 Apr 2010 17:47:04 +0000 https://bugs.horde.org/ticket/8715#t58573 Fixed in Git and Horde 3.3.9. Git commit: http://lists.h Fixed in Git and Horde 3.3.9. Git commit: http://lists.horde.org/archives/commits/2010-May/003766.html FW_3 CVS commit: http://cvs.horde.org/diff.php/framework/Text_Filter/Filter/Attic/xss.php?sa=1&r1=1.1.2.19&r2=1.1.2.20 Tue, 04 May 2010 05:14:02 +0000 https://bugs.horde.org/ticket/8715#t58709