Closed
Bug 98700
Opened 23 years ago
Closed 23 years ago
<META> tag is allowed inside <body>
Categories
(Core :: Security, defect, P2)
Core
Security
Tracking
()
VERIFIED
WONTFIX
mozilla0.9.6
People
(Reporter: 3APA3A, Assigned: security-bugs)
References
()
Details
Accordint to HTML 4.1 (and previous) specification <META> tag is allowed in HTML header session, but Netscape executeds <META> in message body. This problem has security aspect, because multiple web boards, web mails, guestbooks etc strips javascript from user input but allow all other tags. In this case by using <META HTTP-EQUIV="Refresh"> it's possible to redirect user any location or trick him into some actions (for example deleting account, changing password, etc).
|
||
Comment 1•23 years ago
|
||
Unfortunately, many many sites out there stick <meta> tags in <body> and expect
them to work. They _do_ work in both IE and NS4.x...
Consider for example places like geocities or google cache that append stuff to
the beginning of the document. You'd expect meta tags (eg charset) to still
work...
> multiple web boards, web mails, guestbooks etc strips javascript from user
> input but allow all other tags
Would you not say those are bugs in that software?
|
Assignee | |
Comment 2•23 years ago
|
||
cc'ing a few people who might know if this is a requirement. While this is a legitimate security concern, in the end it's up to websites not to allow dangerous content to be uploaded to their sites, and this includes META tags. If we would break a lot of sites by disallowing META tags in the document body, then we probably shouldn't do it, but I'll try to find out if this is so.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
|
Assignee | |
Comment 3•23 years ago
|
||
COnfirmed - this works as described. Changing description for clarity.
Severity: major → normal
Priority: -- → P2
Summary: <META> tag is allowed outside message body → <META> tag is allowed inside <body>
Target Milestone: --- → mozilla0.9.5
|
|
Assignee | |
Comment 4•23 years ago
|
||
time marches on. Retargeting to 0.9.6.
Target Milestone: mozilla0.9.5 → mozilla0.9.6
|
|
Assignee | |
Comment 5•23 years ago
|
||
Apparently we can't stop accepting META tags in the body without breaking a bunch of sites. As it's ultimately the sites' responsibility to watch out for things like this, this bug will have to be wontfix.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → WONTFIX
Marking verified wontfix as per above developer comments.
Status: RESOLVED → VERIFIED
|
||
Comment 7•21 years ago
|
||
*** Bug 200399 has been marked as a duplicate of this bug. ***
|
|
||
Comment 8•20 years ago
|
||
*** Bug 267180 has been marked as a duplicate of this bug. ***
|
||
Comment 9•20 years ago
|
||
I submitted bug 200399 which is slightly different in that META tags without a closing bracket are interpreted. This is more of a security issue than it would first seem, since most HTML filters only filter s!<.*?>!!g or something similar, but bug 200399 allows this even without the closing bracket, such as: <meta http-equiv="REFRESH" CONTENT=0;URL='http://mozilla.org/'
You need to log in
before you can comment on or make changes to this bug.
Description
•