Textpattern CMS

#1 2009-08-06 12:41:06

xorock

New Member

Registered: 2009-08-06

Posts: 2

[textile] Acronym parsed with TextileRestricted

Hello everybody.
Is it normal that text

a="get";
b="URL(\"";
c="javascript:";
d="alert('XSS');\")";
eval(a+b+c+d);

[Ruud. turned code above into code block, below same code]

a=“get”;
b=“URL;\”)”;
eval(a+b+c+d);

(as You can see) is being parsed and displayed as buggy html? It’s code for XSS hack.

Last edited by wet (2009-08-07 17:05:33)

#2 2009-08-06 16:22:54

els

Moderator

From: The Netherlands

Registered: 2004-06-06

Posts: 7,458

Re: [textile] Acronym parsed with TextileRestricted

Put notextile. and a space at the beginning of the first line.

#3 2009-08-06 22:04:24

ruud

Developer Emeritus

From: a galaxy far far away

Registered: 2006-06-04

Posts: 5,068

Website

Re: [textile] Acronym parsed with TextileRestricted

xorock, can you explain how this can be abused as an XSS hack?
For example, I don’t see how the eval() construct is supposed to work outside script tag context.
Where does this work… in TXP, here on the forum or anywhere where restricted textile is used?

I’ve edited the topic title to draw some dev attention this way.

#4 2009-08-07 07:06:11

xorock

New Member

Registered: 2009-08-06

Posts: 2

Re: [textile] Acronym parsed with TextileRestricted

Oh, You have understand me wrong. I just wrote I was playing with XSS hacks plus textile and dicovered, that some specific code in user input could create invalid markup as a result. In this case unescaped <span> and <br/> inside title attribute. If You send whole site as application/xhtml+xml (textile produces xhtml) You would see YSOD. My question is “is it a bug in parser?” and how can I prevent it?
Thank You.

#5 2009-08-07 17:14:21

wet

Developer Emeritus

From: Schoerfling, Austria

Registered: 2005-06-06

Posts: 3,324

Website Mastodon

Re: [textile] Acronym parsed with TextileRestricted

As Els mentioned, prepending notextile. to the first line of your code snippet will pause Textile until the next empty line is encountered.

Other methods to suppress Textile processing for certain chunks of texts are:

1. Embrace them with a <notextile>...</notextile> element
2. For short phrases as part of a paragraph: Include them into ==...== double equal signs.

Whether this is a bug is left onto the eye of the beholder. GIGO is one of Textile’s weaknesses, but what should it really make of this punctuation soup?