[rt-devel] XSS and <PRE>
James O'Kane
jo2y at midnightlinux.com
Thu Sep 11 14:44:21 EDT 2003
I have a question about XSS and I don't see answered in the archives.
I realize why RT::Interface::Web::EscapeUTF8 is called in
/Ticket/Elements/ShowMessageStanza but sometimes that looses formatting we
want either due to converting a <pre> that is in the email, or the browser
not displaying multiple spaces. (In our case the ticket in question has a
diff in the body of the message.)
What I want to know, am I opening myself up to any cross site evilness by
wrapping the call to ShowMessageStanza in ShowTransaction (see simple
patch below.)
It works the way we would like in the simple tests we've done, but we're
hoping to get a wider opinion.
ShowMessageHeaders already has a <pre> before and after, so either the
<pre> should be safe, or it should be removed from there too? In theory,
couldn't someone make a X-XSS-Header: with a url?
This turned into a long message for what I hope is a simple question.
thanks
-james
CUT ---8<--------------------8<-----
--- ShowTransaction.old 2003-09-08 14:18:38.000000000 -0400
+++ ShowTransaction 2003-09-11 14:09:56.000000000 -0400
@@ -71,7 +71,9 @@
<PRE>
<& ShowMessageHeaders, Headers => $headers, Transaction => $Transaction
&>
</PRE>
+<PRE>
<& ShowMessageStanza, Depth => 0, Message => $quoted, Transaction =>
$Transaction &>
+</PRE>
</span>
</TD>
<TD VALIGN=TOP ALIGN=RIGHT>
More information about the Rt-devel
mailing list