Ticket #5718 (closed Bug: fixed)

Opened 10 years ago

Last modified 7 years ago

html injection in plone 2.5 comments

Reported by: linqueur Owned by: dannyb
Priority: blocker Milestone: 2.1.4
Component: General Version:
Keywords: html injection, discussions, comments Cc:

Description

By default comments (former discussions) in plone 2.5 seem to accept html code, s.t. <script>alert('This is an alertbox')</script> is executed when viewing. I posted this on gmane.comp.web.zope.plone.user and got the following answer by Alexander Limi:

By default, Plone comments should be plain text, not HTML - if somebody changed that, they screwed up. :)

Please file a bug at  http://dev.plone.org/plone and mention what I said above.

Attachments

manage_installProductsForm Download (14.0 KB) - added by linqueur 10 years ago.
Install tab of portal_quickinstaller
injection.html Download (22.5 KB) - added by linqueur 10 years ago.

Change History

comment:1 Changed 10 years ago by hannosch

  • Priority changed from minor to major
  • Component changed from Unknown to Discussions

comment:2 Changed 10 years ago by alecm

  • Priority changed from major to blocker
  • Milestone changed from 2.5.x to 2.5.1

comment:3 Changed 10 years ago by alecm

I cannot reproduce this in 2.5 svn. HTML input is quoted, no tags are rendered. Do you have some 3rd party product installed that may be responsible for this.

comment:4 Changed 10 years ago by linqueur

I am a newbee to plone and zope, so I dont know how to give you effective information about my installation. I installed the linux download version from plone.org at 2006-07-28 called Plone2.5-UnifiedInstaller-r2.tgz. After unpacking the date of the directory Plone2.5-UnifiedInstaller was 2006-07-07. I think your question about installed 3rd party products could be answered by the install tab of the portal_quickinstaller in the ZMI, so this is what follows:

Installable Products

Product Name Version CMFSquidTool 1.3.0 CacheSetup 1.0 Marshall 0.6.5-final PloneErrorReporting 0.11 PloneLanguageTool 1.3 TextIndexNG3 3.1.9

Installed Products

Product Version at Install time Product version ATContentTypes 1.1.1-final 1.1.1-final ATReferenceBrowserWidget 1.4 Archetypes 1.4.0-final 1.4.0-final CMFActionIcons CMF-1.6.1 CMFCalendar CMF-1.6.1 CMFFormController 2.0.4 2.0.4 CMFPlacefulWorkflow 1.0.0-final 1.0.0-final GroupUserFolder 3.52 3.52 MimetypesRegistry 1.4.0-final 1.4.0-final PasswordResetTool 0.4 0.4 PlonePAS 2.0.1 2.0.1 PortalTransforms 1.4.0-final 1.4.0-final ResourceRegistries 1.3 1.3 kupu kupu 1.3.7-plone kupu 1.3.7-plone

I hope this helps. Let me know if you need other information.

comment:5 Changed 10 years ago by alecm

And you haven't customized any templates or scripts, I presume?

Changed 10 years ago by linqueur

Install tab of portal_quickinstaller

comment:6 Changed 10 years ago by alecm

  • Owner changed from somebody to dannyb

comment:7 Changed 10 years ago by linqueur

No change. I changed the logo now, but injection was possible right at the beginnig. The only interesting thing I did after following the installation guide of plone documentation was to allow discussions on every item. Do you want an example injected page attached too?

comment:8 Changed 10 years ago by linqueur

I will attach the source of an injected page know. It is interesting that the comment of admin is filtered while the comments of the owner and another user not.

Changed 10 years ago by linqueur

comment:9 Changed 10 years ago by alecm

That's indeed very interesting.

comment:10 Changed 10 years ago by linqueur

I reproduced the problem with a completely fresh installation. Just installed, added a plone site, added a user who added a plone page where discussions are allowed and had the same result like before (owner was able to inject html, admin not).

comment:11 Changed 10 years ago by alecm

  • Status changed from new to closed
  • Resolution set to fixed

(In [10409]) DiscussionTool.cookReply needs to be available to anyone who can comment on an item, otherwise the comment will not be cooked and we get HTML injection. This fixes #5718

comment:12 Changed 10 years ago by alecm

  • Milestone changed from 2.5.1 to 2.1.x

comment:13 Changed 9 years ago by hannosch

  • Milestone changed from 2.1.x to 2.1.4

comment:14 Changed 7 years ago by hannosch

  • Component changed from Discussions to Infrastructure

comment:15 Changed 4 years ago by davisagli

  • Component changed from Infrastructure to General
Note: See TracTickets for help on using tickets.