I submit for your attention exhibit A:
(set up in edit http://test.musicbrainz.org/edit/13577941 )
And I haven't even tried anything other than an artist yet...
For full effect, please view source on that page and search for the text "<script>". Any place where that appears is a place where HTML sanitization is missing. Note that a few of locations are actually embedded in bodies of other scripts; some of those may be exploitable as well if the ' quote is not escaped properly. I did not test this.
Thanks for finding these. Note we do try to actually run everything through "| html", but it's easy to miss bits...
I have fixed some of the most critical places, but I honestly don't have the energy to sift through all our templates in order to determine other possible exploitable areas. Please reopen this ticket if you find any! I created/edited all major entities in my testing and they don't seem to be injectable.
An example is (with syntax highlighting):
Taken from the page http://test.musicbrainz.org/artist/c7a5823a-5f9f-48ec-b034-e4ac261d5b6e
Note how the unescaped single quote causes a syntax error.
One example of where this causes a worse problem is in the release group editor:
(click on the Artist to open the editor, check "Use direct search", then trigger a search by selecting the "Artist in MusicBrainz" field and pressing an arrow key.
(tbh, I'm not sure if this is because of missing an escaped ' or not escaping HTML code, it could be either or both)
OK, I fixed the tag editor issue, but I think all the JS is better for warp to fix, so I'm bouncing this issue over to him.
I fixed a bunch of escaping issues in the release editor (which lazy loads tracklists and recordings through json) and checked autocomplete (again, json) for most of these.
(Just realized I didn't check label entities with nasty names, I'll do that now
http://jira.musicbrainz.org/browse/MBS-1379 mentions http://test.musicbrainz.org/artist/7e84f845-ac16-41fe-9ff8-df12eb32af55/edits which has problems
Addressed those ones that cropped up
Found another place:
View source for details.
Tracks 2-5 should all have the text <MUSIC VIDEO> at the end of the track name.
http://musicbrainz.org/edit/14612028 there should be <GOLD MIX> after SUPER EUROBEAT
http://musicbrainz.org/edit/15419615 should have "<Dance ver.>" as part of track 4
Fixed with 5d90ada
A new case spotted in http://test.musicbrainz.org/edit/15482740
Also reported in MBS-4004. MBS-4082 also appears to be related.
Edit/15482740 fixed with commit 6502943.
Fixed artist credit HTML escaping in b6a5ca4