[pmwiki-users] Fix for cross-site scripting (XSS) in wikitrail links

ljb ljb220 at mindspring.com
Mon Apr 3 21:11:03 CDT 2006


Using pmwiki-2.1.5:

The displayed text for links to previous and next pages in a wikitrail 
are not being escaped when sent to the browser. This lets you insert
arbitrary HTML and scripts on a wiki page.

For example: Make a page "x1" with this text:
===== x1 =====
* [[x2|First link]]
* [[x3|Second link</a><script>window.alert('Hello, wiki');</script><a>]]
==============

Save the page, and click on "First link" to create page x2 with this
wikitrail markup:
===== x2 =====
<<|[[x1]]|>>
==============
Save the page. Alert popup displays whenever page "x2" is viewed.


Proposed patch:

--- scripts/trails.orig.php	2006-03-31 21:27:24.000000000 -0500
+++ scripts/trails.php	2006-04-01 15:38:49.000000000 -0500
@@ -61,7 +61,7 @@
                                preg_replace('/[#?].+/', '', $match[3]));
     $t[$n]['depth'] = $depth = strlen($match[1]);
     $t[$n]['pagename'] = $tgt;
-    $t[$n]['markup'] = $match[2];
+    $t[$n]['markup'] = str_replace('<', '&lt;', $match[2]);
     $t[$n]['detail'] = $match[9];
     for($i=$depth;$i<10;$i++) $d[$i]=$n;
     if ($depth>1) $t[$n]['parent']=@$d[$depth-1];






More information about the pmwiki-users mailing list