[Bug 35315] XSS in CharInsert, forged strip markers

bugzilla-daemon Mon, 16 Apr 2012 03:20:47 -0700

https://bugzilla.wikimedia.org/show_bug.cgi?id=35315


--- Comment #10 from Tim Starling <tstarl...@wikimedia.org> 2012-04-16 10:20:41 
UTC ---
For XSS, this test case seems to work just as well:

{{#tag:charinsert|<nowiki>','',''); alert("XSS",')</nowiki>}}

It doesn't need forged strip markers. But the infinite loop in comment 4 does
need forged strip markers.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 35315] XSS in CharInsert, forged strip markers

Reply via email to