Ticket #1197 (closed defect: notabug)
tags should be stored unescaped
| Reported by: | ddebernardy | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | 0.7 |
| Component: | Habari Core Software | Version: | SVN |
| Keywords: | Cc: |
Description
if you try to insert a tag such as:
mytag" onclick="alert('xss');
it gets stored as so in the database:
habari=# select * from h_terms;
id | term | term_display | vocabulary_id | mptt_left | mptt_right
----+-------------------------+-----------------------------------------------+---------------+-----------+------------
6 | test1 | test1 | 1 | 1 | 2
12 | test2 | test2 | 1 | 3 | 4
13 | mytag-onclick-alert-xss | mytag" onclick="alert('xss');" | 1 | 5 | 6
and it appears to get double-htmlspecialchar()'ed when editing the post.
see also #1195
Change History
comment:3 Changed 2 years ago by ddebernardy
- Summary changed from tags should not be stored as raw data to tags should be stored as raw data
comment:4 Changed 23 months ago by rickc
In the short run storing tags in their raw form may be okay, but in the long run the infrastructure should be in place for things other than posts to be tagged, even by anonymous readers. Wouldn't storing the raw data be a heightened security risk?
Note: See
TracTickets for help on using
tickets.
