ImgTag is vulnerable on XSS attacks
GoogleCodeExporter opened this issue · comments
Google Code Exporter commented
What steps will reproduce the problem?
ImgTag class doesn't validate the url.
Here are some examples of IMG xss attacks http://ha.ckers.org/xss.html
What is the expected output? What do you see instead?
What version of the product are you using? On what operating system?
1.1.5dev
Please provide any additional information below.
Original issue reported on code.google.com by przemek...@gmail.com
on 19 Feb 2009 at 12:55
Google Code Exporter commented
How should this be handled?
Original comment by markree...@gmail.com
on 10 Jul 2010 at 3:00
Google Code Exporter commented
Ensure that the URL is either a http: or https: ? I'm not sure this mitigates
all attacks, but at least we ensure it cannot be a javascript: URL.
Original comment by studio%b...@gtempaccount.com
on 29 Dec 2010 at 12:57
Google Code Exporter commented
Fixed in trunk
Original comment by willmcgugan
on 30 Dec 2010 at 11:46
- Changed state: Fixed