Ticket #5718 (closed Bug: fixed)

Opened 8 years ago

Last modified 5 years ago

html injection in plone 2.5 comments

Reported by: linqueur Owned by: dannyb
Priority: blocker Milestone: 2.1.4
Component: General Version:
Keywords: html injection, discussions, comments Cc:

Description

By default comments (former discussions) in plone 2.5 seem to accept html code, s.t. <script>alert('This is an alertbox')</script> is executed when viewing. I posted this on gmane.comp.web.zope.plone.user and got the following answer by Alexander Limi:

By default, Plone comments should be plain text, not HTML - if somebody changed that, they screwed up. :)

Please file a bug at  http://dev.plone.org/plone and mention what I said above.

Attachments

manage_installProductsForm Download (14.0 KB) - added by linqueur 8 years ago.
Install tab of portal_quickinstaller
injection.html Download (22.5 KB) - added by linqueur 8 years ago.

Change History

comment:1 Changed 8 years ago by hannosch

  • Priority changed from minor to major
  • Component changed from Unknown to Discussions

comment:2 Changed 8 years ago by alecm

  • Priority changed from major to blocker
  • Milestone changed from 2.5.x to 2.5.1

comment:3 Changed 8 years ago by alecm

I cannot reproduce this in 2.5 svn. HTML input is quoted, no tags are rendered. Do you have some 3rd party product installed that may be responsible for this.

comment:4 Changed 8 years ago by linqueur

I am a newbee to plone and zope, so I dont know how to give you effective information about my installation. I installed the linux download version from plone.org at 2006-07-28 called Plone2.5-UnifiedInstaller-r2.tgz. After unpacking the date of the directory Plone2.5-UnifiedInstaller was 2006-07-07. I think your question about installed 3rd party products could be answered by the install tab of the portal_quickinstaller in the ZMI, so this is what follows:

Installable Products

Product Name Version CMFSquidTool 1.3.0 CacheSetup 1.0 Marshall 0.6.5-final PloneErrorReporting 0.11 PloneLanguageTool 1.3 TextIndexNG3 3.1.9

Installed Products

Product Version at Install time Product version ATContentTypes 1.1.1-final 1.1.1-final ATReferenceBrowserWidget 1.4 Archetypes 1.4.0-final 1.4.0-final CMFActionIcons CMF-1.6.1 CMFCalendar CMF-1.6.1 CMFFormController 2.0.4 2.0.4 CMFPlacefulWorkflow 1.0.0-final 1.0.0-final GroupUserFolder 3.52 3.52 MimetypesRegistry 1.4.0-final 1.4.0-final PasswordResetTool 0.4 0.4 PlonePAS 2.0.1 2.0.1 PortalTransforms 1.4.0-final 1.4.0-final ResourceRegistries 1.3 1.3 kupu kupu 1.3.7-plone kupu 1.3.7-plone

I hope this helps. Let me know if you need other information.

comment:5 Changed 8 years ago by alecm

And you haven't customized any templates or scripts, I presume?

Changed 8 years ago by linqueur

Install tab of portal_quickinstaller

comment:6 Changed 8 years ago by alecm

  • Owner changed from somebody to dannyb

comment:7 Changed 8 years ago by linqueur

No change. I changed the logo now, but injection was possible right at the beginnig. The only interesting thing I did after following the installation guide of plone documentation was to allow discussions on every item. Do you want an example injected page attached too?

comment:8 Changed 8 years ago by linqueur

I will attach the source of an injected page know. It is interesting that the comment of admin is filtered while the comments of the owner and another user not.

Changed 8 years ago by linqueur

comment:9 Changed 8 years ago by alecm

That's indeed very interesting.

comment:10 Changed 8 years ago by linqueur

I reproduced the problem with a completely fresh installation. Just installed, added a plone site, added a user who added a plone page where discussions are allowed and had the same result like before (owner was able to inject html, admin not).

comment:11 Changed 8 years ago by alecm

  • Status changed from new to closed
  • Resolution set to fixed

(In [10409]) DiscussionTool.cookReply needs to be available to anyone who can comment on an item, otherwise the comment will not be cooked and we get HTML injection. This fixes #5718

comment:12 Changed 8 years ago by alecm

  • Milestone changed from 2.5.1 to 2.1.x

comment:13 Changed 8 years ago by hannosch

  • Milestone changed from 2.1.x to 2.1.4

comment:14 Changed 5 years ago by hannosch

  • Component changed from Discussions to Infrastructure

comment:15 Changed 22 months ago by davisagli

  • Component changed from Infrastructure to General
Note: See TracTickets for help on using tickets.