|
Sort Order:
Thanks for finding these. Note we do try to actually run everything through "| html", but it's easy to miss bits... I have fixed some of the most critical places, but I honestly don't have the energy to sift through all our templates in order to determine other possible exploitable areas. Please reopen this ticket if you find any! I created/edited all major entities in my testing and they don't seem to be injectable. Alright, I managed to find a few more holes. It looks like you've gotten most of the places where code could be injected into HTML, but there's still escaping lacking when embedding HTML into javascript (JSON). Note how the unescaped single quote causes a syntax error. One example of where this causes a worse problem is in the release group editor: OK, I fixed the tag editor issue, but I think all the JS is better for warp to fix, so I'm bouncing this issue over to him. I fixed a bunch of escaping issues in the release editor (which lazy loads tracklists and recordings through json) and checked autocomplete (again, json) for most of these. (Just realized I didn't check label entities with nasty names, I'll do that now Addressed those ones that cropped up Found another place: Tracks 2-5 should all have the text <MUSIC VIDEO> at the end of the track name. http://musicbrainz.org/edit/14612028 http://musicbrainz.org/edit/15419615 A new case spotted in http://test.musicbrainz.org/edit/15482740 Edit/15482740 fixed with commit 6502943. Fixed artist credit HTML escaping in b6a5ca4 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Bug
Closed
Normal
Musicbrainz website is missing HTML escaping on user entered data
For full effect, please view source on that page and search for the text "<script>". Any place where that appears is a place where HTML sanitization is missing. Note that a few of locations are actually embedded in bodies of other scripts; some of those may be exploitable as well if the ' quote is not escaped properly. I did not test this.