Still There [was Re: [Yapcom] Cross-site-scripting (XSS) Bug in Yapcom]

Shlomi Fish shlomif at iglu.org.il
Mon Dec 5 17:21:14 IST 2005 

[This message was sent again, because the mailing list manager does not accept 
messages with attachments].

Per Gabor's request, here is a patch that fixes the problem. (With tests 
and everything):

http://eskimo.shlomifish.org/Files/files/code/yapcom-remove-xss.patch.txt

There are probably many other such problems there, which should also be fixed. 
Notice that the long lines and the spamming attacks are still there, to be 
fixed at a later stage.

Gabor, please give me commit access so I can fix everything conveniently.

Regards,

	Shlomi Fish

On Tuesday 22 November 2005 11:02, Shlomi Fish wrote:
> Hi all!
>
> Look at:
>
> http://www.osdc.org.il/person.html?id=30
>
> The link at the bottom of my bio pops up a JavaScript alert code. This
> HTML-injection attack is just a Proof-of-Concept and could be much worse.
>
> Other bugs:
>
> 1. The bio is displayed as one long line instead of a wrappped line. This
> generates an annoying horizontal scrollbar. Either ditch the <pre> or break
> the line.
>
> 2. The user-entered URLs do not have the rel="nofollow" attribute:
>
> http://googleblog.blogspot.com/2005/01/preventing-comment-spam.html
>
> As a result, web spammers may abuse Yapcom to increase their page rank.
>
> Regards,
>
> 	Shlomi Fish
>
> On Monday 15 November 2004 15:02, Shlomi Fish wrote:
> > It seems that when displaying the bio's of the registered users, Yapcom
> > does not encode special HTML characters. Thus if you register with the
> > following bio:
> >
> > <<<
> > hello <a href="javascript:alert('hi')">you</a>
> >
> >
> > You'll get a nice javascript code in the page. It could be much worse.
> >
> > Regards,
> >
> > 	Shlomi Fish
> >
> > ---------------------------------------------------------------------
> > Shlomi Fish      shlomif at iglu.org.il
> > Homepage:        http://www.shlomifish.org/
> >
> > Knuth is not God! It took him two days to build the Roman Empire.
> > _______________________________________________
> > Yapcom mailing list
> > Yapcom at perl.org.il
> > http://perl.org.il/mailman/listinfo/yapcom

-- 

---------------------------------------------------------------------
Shlomi Fish      shlomif at iglu.org.il
Homepage:        http://www.shlomifish.org/

95% of the programmers consider 95% of the code they did not write, in the
bottom 5%.

More information about the Yapcom mailing list