- changed title to security: rst converter javascript URLs
security: rst converter javascript URLs
Issue #2
resolved
the rst converter happily creates javascript: links, which is unsecure (XSS, etc.)
Example markup:
NotMe <javascript:alert(1)>
_
TODO: use a list of "supported/secure protocols", see also the ongoing fix of moin/1.9.
Comments (4)
-
-
- changed status to open
-
- marked as critical
-
- changed status to resolved
Fixed by: http://hg.moinmo.in/moin/2.0/rev/cb70ad7b6668 - thanks to Sam!
- Log in to comment