<META> tag is allowed inside <body>

VERIFIED WONTFIX

Status

()

Core
Security
P2
normal
VERIFIED WONTFIX
16 years ago
13 years ago

People

(Reporter: 3APA3A, Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

Trunk
mozilla0.9.6
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

16 years ago
Accordint to HTML 4.1 (and previous) specification  <META> tag is allowed in
HTML header session, but Netscape executeds <META> in message body. This problem
has security aspect, because multiple web boards, web mails, guestbooks etc
strips javascript from user input but allow all other tags. In this case by
using <META HTTP-EQUIV="Refresh"> it's possible to redirect user any location or
trick him into some actions (for example deleting account, changing password, etc).
Unfortunately, many many sites out there stick <meta> tags in <body> and expect
them to work.  They _do_ work in both IE and NS4.x...

Consider for example places like geocities or google cache that append stuff to
the beginning of the document.  You'd expect meta tags (eg charset) to still
work...

> multiple web boards, web mails, guestbooks etc strips javascript from user
> input but allow all other tags

Would you not say those are bugs in that software?
(Assignee)

Comment 2

16 years ago
cc'ing a few people who might know if this is a requirement. While this is a
legitimate security concern, in the end it's up to websites not to allow
dangerous content to be uploaded to their sites, and this includes META tags. If
we would break a lot of sites by disallowing META tags in the document body,
then we probably shouldn't do it, but I'll try to find out if this is so.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Comment 3

16 years ago
COnfirmed - this works as described. Changing description for clarity.
Severity: major → normal
Priority: -- → P2
Summary: <META> tag is allowed outside message body → <META> tag is allowed inside <body>
Target Milestone: --- → mozilla0.9.5
(Assignee)

Comment 4

16 years ago
time marches on. Retargeting to 0.9.6.
Target Milestone: mozilla0.9.5 → mozilla0.9.6
(Assignee)

Comment 5

16 years ago
Apparently we can't stop accepting META tags in the body without breaking a
bunch of sites. As it's ultimately the sites' responsibility to watch out for
things like this, this bug will have to be wontfix.
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → WONTFIX

Comment 6

16 years ago
Marking verified wontfix as per above developer comments.
Status: RESOLVED → VERIFIED

Comment 7

15 years ago
*** Bug 200399 has been marked as a duplicate of this bug. ***

Comment 8

13 years ago
*** Bug 267180 has been marked as a duplicate of this bug. ***

Comment 9

13 years ago
I submitted bug 200399 which is slightly different in that META tags without a
closing bracket are interpreted.  This is more of a security issue than it would
first seem, since most HTML filters only filter s!<.*?>!!g or something similar,
but bug 200399 allows this even without the closing bracket, such as:

<meta http-equiv="REFRESH" CONTENT=0;URL='http://mozilla.org/'
You need to log in before you can comment on or make changes to this bug.