Closed Bug 949691 Opened 12 years ago Closed 12 years ago

github fails to escape the content of <content type="html">

Categories

(Firefox Graveyard :: RSS Discovery and Preview, defect)

Product:
Firefox Graveyard
Component:
RSS Discovery and Preview
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: JasnaPaka, Unassigned)

Details

Attachments

(2 files)

Atom
17.91 KB, application/atom+xml
Details
Screenshot
20.52 KB, image/png
Details
One person discovered XSS in RSS reader Feedly and one Mozilla users found the same problem in RSS preview in Firefox (latest trunk). https://twitter.com/RadegDostal/status/410533739072983040/photo/1 How to reproduce: 1) Visit https://github.com/nette/nette/commits/6f53927485ff7ded429c8140ed56fa5fbe741d6c.atom. 2) See form input in RSS preview. What expected: No form input!
Attached file Atom
Problematic feed.
Keywords: sec-incident
Attached image Screenshot
Well, XSS requires some cross to be the cross-site, that's more "one site says to render HTML, so we render HTML." Sure, because github failed to actually read the Atom RFC after hundreds of people sweated blood for years to make sure that exactly this would never happen as long as people read the damn RFC, it's possible for someone to create unintentional HTML with a commit message, but that's a github bug. Anything displaying Atom content which does not display an actual <input> there (assuming it isn't one which strips all HTML, and Firefox does not strip all HTML) is wrong, because that's what the feed says to do.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Summary: XSS in RSS Preview → github fails to escape the content of <content type="html">
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: