Description
URI in ReST links are not escaped.
Steps to reproduce
- Add ReST link with some js code as href
Example
{{{#!rst
"`NotMe <javascript:alert(1)>`_" , "MORELOL"
}}}"NotMe" , "MORELOL"
Component selection
- ReST parser
Details
MoinMoin Version |
<= 1.9.3 |
OS and Version |
|
Python Version |
|
Server Setup |
|
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
|
Workaround
Discussion
Reported at http://moinmo.in/4ct10n/diff/MoinBounties?action=diff&rev1=47&rev2=48. -- EugeneSyromyatnikov 2011-02-21 11:33:05
Well, I don't think this is about escaping URLs (it is a link, so the URL should be ok and unmodified).
But of course we don't want to support javascript: URLs.
Plan
- Priority:
- Assigned to:
Status: fixed by http://hg.moinmo.in/moin/1.9/rev/97208f67798f