Difference between revisions of "MediaWiki"
From Nick Jenkins
m |
|||
| Line 148: | Line 148: | ||
| Yes. | | Yes. | ||
| No. | | No. | ||
| − | | <s>Generates Tidy error due to <th> tags out of order.</s> As of 1.6.1, now drops the '<a href="xxx' string. | + | | <s>Generates Tidy error due to <th> tags out of order.</s> [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034770.html As of 1.6.1, now drops the '<a href="xxx' string]. |
|- | |- | ||
| <s>[[MediaWiki/Parser17]]</s> | | <s>[[MediaWiki/Parser17]]</s> | ||
| Line 187: | Line 187: | ||
* ''<p><td><s></p>'' would '''not''' be considered to have a security aspect because all the tags are appearing ok (are not malformed), although it is invalid HTML. | * ''<p><td><s></p>'' would '''not''' be considered to have a security aspect because all the tags are appearing ok (are not malformed), although it is invalid HTML. | ||
* ''<a href="http://as<td></td><td class="external free"><p>user text here'' would be considered to have a security aspect because the "href" string is not properly terminated, and so the "external free" part is injected as attributes. | * ''<a href="http://as<td></td><td class="external free"><p>user text here'' would be considered to have a security aspect because the "href" string is not properly terminated, and so the "external free" part is injected as attributes. | ||
| − | * A string missing the start of a tag would also be considered to have a security aspect - e.g. ''<th>|||||" class="external free" title="https://||||||" rel="nofollow">https://</th>'' - because the ''<a href="xxx'' part has been cut off. | + | * A string missing the start of a tag would also be considered to have a security aspect - e.g. ''<nowiki><th>|||||" class="external free" title="https://||||||" rel="nofollow">https://</th></nowiki>'' - because the ''<a href="xxx'' part has been cut off. Probably not exploitable - but certainly a worse category of bug than just getting tags in the wrong order. |
So to sum up: if tags are just in the wrong order, but are otherwise complete and well-formed, then it is not a security issue; otherwise it is considered to potentially be, and is listed as "Yes" in the above table. | So to sum up: if tags are just in the wrong order, but are otherwise complete and well-formed, then it is not a security issue; otherwise it is considered to potentially be, and is listed as "Yes" in the above table. | ||
Revision as of 06:48, 7 April 2006
Various MediaWiki 1.6.1 parser tests, that fail HTML validation:
1: For the above table, "security aspect" is defined as anything that causes the start of a tag to be missing, or the end to be missing, or attributes of any type that should not be there to be injected. For example:
- <p><td><s></p> would not be considered to have a security aspect because all the tags are appearing ok (are not malformed), although it is invalid HTML.
- <a href="http://as<td></td><td class="external free"><p>user text here would be considered to have a security aspect because the "href" string is not properly terminated, and so the "external free" part is injected as attributes.
- A string missing the start of a tag would also be considered to have a security aspect - e.g. <th>|||||" class="external free" title="https://||||||" rel="nofollow">https://</th> - because the <a href="xxx part has been cut off. Probably not exploitable - but certainly a worse category of bug than just getting tags in the wrong order.
So to sum up: if tags are just in the wrong order, but are otherwise complete and well-formed, then it is not a security issue; otherwise it is considered to potentially be, and is listed as "Yes" in the above table.
