Issue #2 resolved

security: rst converter javascript URLs

Thomas Waldmann repo owner created an issue 2011-02-23

the rst converter happily creates javascript: links, which is unsecure (XSS, etc.)

Example markup:

NotMe <javascript:alert(1)>_

TODO: use a list of "supported/secure protocols", see also the ongoing fix of moin/1.9.

Comments (4)

Thomas Waldmann reporter
- changed title to security: rst converter javascript URLs
- 2011-02-23T14:55:25+00:00
Thomas Waldmann reporter
- changed status to open
- 2011-04-05T15:36:27+00:00
Thomas Waldmann reporter
- marked as critical
- 2011-08-10T16:28:11+00:00
Thomas Waldmann reporter
- changed status to resolved
Fixed by: http://hg.moinmo.in/moin/2.0/rev/cb70ad7b6668 - thanks to Sam!
- 2011-12-18T18:38:47+00:00
Log in to comment

Assignee: –

Type: bug

Priority: critical

Status: resolved

Component: dom converters

Milestone: 2.0.0a1

Version: 2.0.0a0

Votes: 0

Watchers: 1

JIRA Software: the preferred issue tracker for Bitbucket. Join the team!