Task #8780 (closed)
Bug: XSS possible in comment textarea
| Reported by: | bpindelski | Owned by: | wmoore |
|---|---|---|---|
| Priority: | critical | Milestone: | OMERO-4.4.4 |
| Component: | Web | Version: | n.a. |
| Keywords: | n.a. | Cc: | |
| Resources: | n.a. | Referenced By: | n.a. |
| References: | n.a. | Remaining Time: | n.a. |
| Sprint: | 2012-07-31 (1) |
Description
To reproduce:
- Select an image
- Start adding a comment
- Type in "/><script type="text/javascript">alert(1)</script>
- JS code gets stored in DB and then executed with every subsequent visit to the annotations pane - might be used for session hijacking
Change History (8)
comment:1 Changed 7 years ago by wmoore
- Owner changed from web-team@… to wmoore
comment:2 Changed 7 years ago by wmoore
- Owner changed from wmoore to atarkowska
The bug can be fixed by removing the 'safe' filter on comments (see below). However, then we can't use the 'wikify' filter to add url links.
Ola - do you want to have a look at this and see if there's a better solution?
diff --git a/components/tools/OmeroWeb/omeroweb/webclient/templates/webclient/annotations/comment.html b/components/tools/OmeroWeb/omeroweb/webclient/templates/webclient/annotations/comment.html
index 6df9208..bdc6373 100644
--- a/components/tools/OmeroWeb/omeroweb/webclient/templates/webclient/annotations/comment.html
+++ b/components/tools/OmeroWeb/omeroweb/webclient/templates/webclient/annotations/comment.html
@@ -47,7 +47,7 @@
{% endif %}
<span class='commentText'>
- {{ tann.getTextValue|wikify|safe|linebreaks }}
+ {{ tann.getTextValue|linebreaksbr }}
</span>
</div>
comment:3 Changed 7 years ago by jmoore
- Milestone changed from Unscheduled to OMERO-4.4.1
- Owner changed from atarkowska to wmoore
- Priority changed from major to critical
Moving all of Ola's tickets to Will.
comment:4 Changed 7 years ago by wmoore
- Sprint set to 2012-07-31 (1)
comment:5 Changed 7 years ago by wmoore
- Status changed from new to accepted
comment:6 Changed 7 years ago by wmoore
- Resolution set to fixed
- Status changed from accepted to closed
Went with the diff above: https://github.com/will-moore/openmicroscopy/commit/eae4e7ea6f42469138453cea554b919c811c573d
wikify was removed. I think this is OK as it's not used much, and the security flaw is much more important to fix.
comment:7 Changed 7 years ago by saloynton
- Milestone changed from OMERO-4.4.1 to OMERO-4.4.2
Tested:
- I have "/> saved in the description and comments as expected it does show a 1 in the dialogue box when I click to save the text.
comment:8 Changed 7 years ago by Will Moore <will@…>
(In [086333332d27a220a66626820ca9eb676eb020a7/ome.git] on branch develop) Fix 'XXS in Comment Textarea'. See #8780
I had to remove the wikify functionality since it seems to be incompatible with
making <script> etc safe.
Note: See
TracTickets for help on using
tickets.
You may also have a look at Agilo extensions to the ticket.
I see this also when I ADD a description or comment (before page refresh). Also see it on page refresh for comment (as described) but not for description.