Issue #26 resolved

CVE-2014-3207: Unfiltered XSS

Anonymous created an issue

SKS 1.1.4 does not filter: /pks/lookup/undefined1<ScRiPt>prompt(972363)</ScRiPt>

For example:<ScRiPt>prompt(972363)</ScRiPt>;

Note that recent browsers will urlencode this for you, thus the XSS only affects older browsers. You can verify this using curl, for example:


Proposed fix: Filter input/output (or do not display the input at all).

Initial report and findings: by Haris (

Comments (7)

  1. Log in to comment