Ticket #5718 (closed Bug: fixed)
html injection in plone 2.5 comments
| Reported by: | linqueur | Owned by: | dannyb |
|---|---|---|---|
| Priority: | blocker | Milestone: | 2.1.4 |
| Component: | Infrastructure | Version: | |
| Keywords: | html injection, discussions, comments | Cc: |
Description
By default comments (former discussions) in plone 2.5 seem to accept html code, s.t. <script>alert('This is an alertbox')</script> is executed when viewing. I posted this on gmane.comp.web.zope.plone.user and got the following answer by Alexander Limi:
By default, Plone comments should be plain text, not HTML - if somebody changed that, they screwed up. :)
Please file a bug at http://dev.plone.org/plone and mention what I said above.
Attachments
-
manage_installProductsForm
(14.0 KB) -
added by linqueur 6 years ago.
- Install tab of portal_quickinstaller
-
injection.html
(22.5 KB) -
added by linqueur 6 years ago.
Change History
comment:1 Changed 6 years ago by hannosch
- Priority changed from minor to major
- Component changed from Unknown to Discussions
comment:2 Changed 6 years ago by alecm
- Priority changed from major to blocker
- Milestone changed from 2.5.x to 2.5.1
comment:3 Changed 6 years ago by alecm
I cannot reproduce this in 2.5 svn. HTML input is quoted, no tags are rendered. Do you have some 3rd party product installed that may be responsible for this.
comment:4 Changed 6 years ago by linqueur
I am a newbee to plone and zope, so I dont know how to give you effective information about my installation. I installed the linux download version from plone.org at 2006-07-28 called Plone2.5-UnifiedInstaller-r2.tgz. After unpacking the date of the directory Plone2.5-UnifiedInstaller was 2006-07-07. I think your question about installed 3rd party products could be answered by the install tab of the portal_quickinstaller in the ZMI, so this is what follows:
Installable Products
Product Name Version CMFSquidTool 1.3.0 CacheSetup 1.0 Marshall 0.6.5-final PloneErrorReporting 0.11 PloneLanguageTool 1.3 TextIndexNG3 3.1.9
Installed Products
Product Version at Install time Product version ATContentTypes 1.1.1-final 1.1.1-final ATReferenceBrowserWidget 1.4 Archetypes 1.4.0-final 1.4.0-final CMFActionIcons CMF-1.6.1 CMFCalendar CMF-1.6.1 CMFFormController 2.0.4 2.0.4 CMFPlacefulWorkflow 1.0.0-final 1.0.0-final GroupUserFolder 3.52 3.52 MimetypesRegistry 1.4.0-final 1.4.0-final PasswordResetTool 0.4 0.4 PlonePAS 2.0.1 2.0.1 PortalTransforms 1.4.0-final 1.4.0-final ResourceRegistries 1.3 1.3 kupu kupu 1.3.7-plone kupu 1.3.7-plone
I hope this helps. Let me know if you need other information.
comment:5 Changed 6 years ago by alecm
And you haven't customized any templates or scripts, I presume?
Changed 6 years ago by linqueur
-
attachment
manage_installProductsForm
added
Install tab of portal_quickinstaller
comment:7 Changed 6 years ago by linqueur
No change. I changed the logo now, but injection was possible right at the beginnig. The only interesting thing I did after following the installation guide of plone documentation was to allow discussions on every item. Do you want an example injected page attached too?
comment:8 Changed 6 years ago by linqueur
I will attach the source of an injected page know. It is interesting that the comment of admin is filtered while the comments of the owner and another user not.
comment:10 Changed 6 years ago by linqueur
I reproduced the problem with a completely fresh installation. Just installed, added a plone site, added a user who added a plone page where discussions are allowed and had the same result like before (owner was able to inject html, admin not).
comment:11 Changed 5 years ago by alecm
- Status changed from new to closed
- Resolution set to fixed
