Opened 17 years ago
Closed 17 years ago
#1658 closed Bug (invalid)
XSS Injection with img tag
Reported by: | fanfarian | Owned by: | |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | General | Version: | FCKeditor 2.5 |
Keywords: | Pending | Cc: |
Description
Hi there,
If you use:
<img src="image.jpg" onload="alert('valid cross-site scripting');" />
there is a XSS Injection possible.
Enter this into the source code of an FCK window, just preview the Site and the JS executes.
Browser: Firefox 2.0.0.11 (latest)
OS: WinXP SP2
FCKG: Version 2.5 Build 17352
Using FCK with PHP5
cheers
fanfarian
Change History (3)
comment:1 Changed 17 years ago by
Keywords: | Pending added; XSS Injection removed |
---|
comment:2 Changed 17 years ago by
I forgot, you don't need any image, you can use directly a script:
<script type="text/javascript"> alert("hello world") </script>
Yes, FCKeditor doesn't filter any of the HTML or the people would complain about that. If you are saving the content sent by any user then you must perform a validation on the server because it would be trivial for an evil user that tries to inject some attack to bypass a simple javascript protection.