There's been an issue found in the javascript filtering code. It's possible to bypass it with a simple entity substitution. Credit goes to komet for the discovery, and hulver for the current work-around. Mike ----- Forwarded message from scoop-bugs at lists.kuro5hin.org ----- From: scoop-bugs at lists.kuro5hin.org Reply-To: scoop-dev at lists.sourceforge.net Subject: [Scoop-bugs] [Bug 188] New: user can insert javascript in the A tag Date: Fri, 13 May 2005 14:42:39 -0700 To: Scoop-bugs at lists.kuro5hin.org X-Bugzilla-Reason: QAcontact http://bugz.mostly-harmless.ca/show_bug.cgi?id=188 Summary: user can insert javascript in the A tag Product: Scoop Version: cvs-CURRENT Platform: All OS/Version: other Status: NEW Severity: major Priority: P2 Component: Utility Code AssignedTo: jeremy at satanosphere.com ReportedBy: mike at mostly-harmless.ca QAContact: Scoop-bugs at lists.kuro5hin.org Reported by komet via hulver: "komet, while testing my new site came across a javascripting hole in scoop. The url <a href="javascript:alert('hello')">test</a> Works just fine under firefox (I've not tested IE). I've stopped it for now by changing the allowed_html entry for the A tag to A, HREF="^http(s?)://|^mailto:|^#|^/", NAME, -close Which should stop any silly games. I'm sure this will be public soon. " perhaps ^ftp:// should be added to the HREF regex as well? ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact. ----- End forwarded message ----- -- Michael Bain | One day I want to look through three hundred mike at mostly-harmless.ca| thousand kilometres of space and say: GPG-ID: 0xA30A5493 | "My isn't there a beautiful Earth out tonight!" -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.kuro5hin.org/pipermail/scoop-dev/attachments/20050513/9fb00a93/attachment.bin