Skip to content
This repository has been archived by the owner on Nov 21, 2024. It is now read-only.

Use a whitelist for XHTML-IM elements and attributes #445

Open
linkmauve opened this issue Nov 28, 2015 · 3 comments
Open

Use a whitelist for XHTML-IM elements and attributes #445

linkmauve opened this issue Nov 28, 2015 · 3 comments
Labels
Bug

Comments

@linkmauve
Copy link
Contributor

The current method makes it trivial to execute scripts for any attacker, e.g. by sending <img src="something" onerror="alert('Hello XSS')"/> in a room.

http://xmpp.org/extensions/xep-0071.html defines a subset of elements alongside their attributes, I highly recommend you to whitelist only those and to ignore any other element or attribute you come across.
@benlangfeld
Copy link
Member

Thank you for the report @linkmauve. Do you think you might be able to propose a fix?

@attritionorg
Copy link

Can you confirm if this was fixed? If so, a link to the commit and/or fixing version? Also if this is related to #498?

@benlangfeld
Copy link
Member

No-one has yet proposed a fix.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@benlangfeld @attritionorg @linkmauve