HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Vanilla XSS Vulnerability
Hello, I have recently discovered a vulneribility which probably affects all versions of vanilla.
You are currently unable to send IFRAME tags in messages. Yet you are able to send OBJECT tags. This can be abused and may lead to pages being redirected to other websites.
Here's an example:
Hope this gets fixed before abuse occurs.
Thanks,
ConnorM
1
Comments
It doesn’t work cross domain in that way if you want to restrict this then you can block all object tag in htmLawed plugin.
grep is your friend.
Personally I'm in favour of blocking it anyway. However i don't think they were unaware the enabled it.
grep is your friend.
Yes the OBJECT tag should be blocked by default.
why not open up an issue?
https://github.com/vanillaforums/Garden/issues
grep is your friend.
for html it not an issue, the only embed type allowed is flash, which does carry some risk. if you want to remove it
comment out this line
$Spec = 'object=-classid-type, -codebase; embed=type(oneof=application/x-shockwave-flash)';
and put
$Spec = '';
in the htmlawed plugin.
grep is your friend.
I missed something you need to replace
'elements' => '*-applet-form-input-textarea-iframe-script-style', // object, embed allowed
with
'elements' => '*-applet-form-input-textarea-iframe-script-style-object-embed',
grep is your friend.
I did not see a link to this on the site as an issue tracker. Thanks for the info.
Dave.
I did not see a link to this on the site as an issue tracker. Thanks for the info.
fourth item down on this page http://vanillaforums.org/docs
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.