[rt-devel] XSS and <PRE>

James O'Kane jo2y at midnightlinux.com
Thu Sep 11 14:44:21 EDT 2003

I have a question about XSS and I don't see answered in the archives.
I realize why RT::Interface::Web::EscapeUTF8 is called in 
/Ticket/Elements/ShowMessageStanza but sometimes that looses formatting we 
want either due to converting a <pre> that is in the email, or the browser 
not displaying multiple spaces. (In our case the ticket in question has a 
diff in the body of the message.)

What I want to know, am I opening myself up to any cross site evilness by 
wrapping the call to ShowMessageStanza in ShowTransaction (see simple 
patch below.)
It works the way we would like in the simple tests we've done, but we're 
hoping to get a wider opinion.

ShowMessageHeaders already has a <pre> before and after, so either the 
<pre> should be safe, or it should be removed from there too? In theory, 
couldn't someone make a X-XSS-Header: with a url?

This turned into a long message for what I hope is a simple question.


CUT ---8<--------------------8<-----
--- ShowTransaction.old 2003-09-08 14:18:38.000000000 -0400
+++ ShowTransaction     2003-09-11 14:09:56.000000000 -0400
@@ -71,7 +71,9 @@
 <& ShowMessageHeaders, Headers => $headers, Transaction => $Transaction 
 <& ShowMessageStanza, Depth => 0, Message => $quoted, Transaction => 
$Transaction &>

More information about the Rt-devel mailing list