![(please configure the [header_logo] section in trac.ini)](http://gbic.target.rug.nl/trac/molgenis/chrome/site/molgenis_logo.jpg){kind=logo}
Ticket #43 (new defect)
Opened 11 months ago
MOLGENIS code injection still possible
| Reported by: | jvelde | Owned by: | |
|---|---|---|---|
| Priority: | critical | Milestone: | MOLGENIS 3.3.2 |
| Component: | molgenis | Keywords: | |
| Cc: | Sensitive: | ||
| Parent ID: | Scheduled: |
Description
If you put some html in a molgenis input field, you can break the interface. For example, this line (provided by Machiel) creates an IFRAME and will ruin the interface/plugins:
``''""<test><iframe src=`../../..\\/www.google.nl` width=730 height=360>
It does NOT actually open Google though as the URL of the IFRAME is incorrect in this case.
I've started by making a function (TODO) in the Input class that should filter any input very strictly. For example, only allow A-Z, a-z, 0-9 and maybe '.' and '-'.
However, any custom inputfield in a plugin would be vulnerable again.. maybe we need a different solution for this.
Note: See
TracTickets for help on using
tickets.
