Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#1 2009-08-06 12:41:06
- xorock
- New Member
- Registered: 2009-08-06
- Posts: 2
[textile] Acronym parsed with TextileRestricted
Hello everybody.
Is it normal that text
a="get";
b="URL(\"";
c="javascript:";
d="alert('XSS');\")";
eval(a+b+c+d);
[Ruud. turned code above into code block, below same code]
a=“get”;
b=“URL;\”)”;
eval(a+b+c+d);
(as You can see) is being parsed and displayed as buggy html? It’s code for XSS hack.
Last edited by wet (2009-08-07 17:05:33)
Offline
#2 2009-08-06 16:22:54
- els
- Moderator
- From: The Netherlands
- Registered: 2004-06-06
- Posts: 7,458
Re: [textile] Acronym parsed with TextileRestricted
Put notextile.
and a space at the beginning of the first line.
Offline
Re: [textile] Acronym parsed with TextileRestricted
xorock, can you explain how this can be abused as an XSS hack?
For example, I don’t see how the eval() construct is supposed to work outside script tag context.
Where does this work… in TXP, here on the forum or anywhere where restricted textile is used?
I’ve edited the topic title to draw some dev attention this way.
Offline
#4 2009-08-07 07:06:11
- xorock
- New Member
- Registered: 2009-08-06
- Posts: 2
Re: [textile] Acronym parsed with TextileRestricted
Oh, You have understand me wrong. I just wrote I was playing with XSS hacks plus textile and dicovered, that some specific code in user input could create invalid markup as a result. In this case unescaped <span> and <br/> inside title attribute. If You send whole site as application/xhtml+xml (textile produces xhtml) You would see YSOD. My question is “is it a bug in parser?” and how can I prevent it?
Thank You.
Offline
Re: [textile] Acronym parsed with TextileRestricted
As Els mentioned, prepending notextile.
to the first line of your code snippet will pause Textile until the next empty line is encountered.
Other methods to suppress Textile processing for certain chunks of texts are:
- Embrace them with a
<notextile>...</notextile>
element - For short phrases as part of a paragraph: Include them into
==...==
double equal signs.
Whether this is a bug is left onto the eye of the beholder. GIGO is one of Textile’s weaknesses, but what should it really make of this punctuation soup?
Offline