My favorites | Sign in
Project Home Issues Source
READ-ONLY: This project has been archived. For more information see this post.
Search
for
  Advanced search   Search tips   Subscriptions
Issue 23: XSS Vulnerability
  Back to list
Status:  Done
Owner:  ----
Closed:  Jun 2011


 
Reported by busto...@gmail.com, May 23, 2011
Enano presents an XSS vulnerability when posts are edited in the HTML scope. To fix this bug, TinyMCE recommends implementing an HTML purifier. Another option would be to clean the user input by using the replace function in JavaScript as follows:

String.replace(javascript:, "");
String.replace(script:, "");

This will replace attempted script tags with a whitespace.
Jun 2, 2011
#1 dan%enan...@gtempaccount.com
No longer relevant as of 1de01205143b, as TinyMCE has been removed from the Enano core.

Can you please describe steps to reproduce this? Page text is run through a fairly strict sanitizer unless you have the html_in_pages privilege.

Please use the e-mail address security@enanocms.org, as per described at http://enanocms.org/security, to report security concerns in the future.
Status: Done

Powered by Google Project Hosting