Forum OpenACS Development: Re: XSS vulnerability in XoWiki and a lot of other OpenACS pages

Wow.

By default ad_page_contract does not allow HTML in query vars. You have to allow it specifically using the html or allhtml flags so this should be straightforward to deal with this.

Also not that you may have a misconfiguration of your allowedtag, or allowedattribute settings in ACS kernel which control the security of submitted HTML.

Hi Dave,

Thank you for your comment. In fact the problem only happens where you have the option to supply the HTML code as query vars in ad_page_contract, and that's exaclty what I'm talking about. These pages show this behaviour in general, and as they are a lot of pages, fix it for every single page would be insane.

However, you gave me a good hint: maybe we should change ad_page_contract to verify the HTML code? I did the test you said: changed the allowedtag parameter, but it seems like this check is only valid to form submition, not to URL vars. A possible fix would be to add this tag check to HTML URL vars?

yes, fix the filter.