## page was renamed from MoinMoinBugs/1.9.2XSSTemplateParameter
= Description =

## Please read this page. Lines prefixed with ## such as this one are comments,
## you can remove them (except for those after the "Plan" section.)
## Please follow the instructions given in those comments and the text.
## After creating the bug page, please subscribe to it! We may have questions
## that only you can answer, and if you get email when your bug changes it'll
## be much faster to get it fixed since you can answer the questions!

There is a possible reflected Cross-Site Scripting attack. An attacker able to cause a user to follow a specially crafted malicious link may be able to recover session identifiers or exploit browser vulnerabilities. The template parameter is vulnerable, as can be seen by navigating to a URL: http://<site>/NonExistantUser?action=edit&template=<script>alert(document.cookie);</script> 

== Steps to reproduce ==
## Describe the steps needed to reproduce the bug. If we can't reproduce it, we  probably can't fix it.
 1. navigate to a URL of the form: http://<site>/NonExistantUser?action=edit&template=<script>alert(document.cookie);</script>

== Example ==
##Add URL that show the bug, screenshot or test wiki markup that fail...

URL: http://<site>/NonExistantUser?action=edit&template=<script>alert(document.cookie);</script>


== Component selection ==

## Where you think is this bug happening ? (general, plugin [plugin name], theme [theme name], ...

 * add_msg expects correctly escaped input, but it isn't done at all places

== Details ==

## If you got a traceback, please save the traceback page as html and attach here:
## [[attachment:traceback.html]]

## if the bug is in this wiki, just kill the table and write: This Wiki.

## If a traceback is not available, please fill in the details here:
|| '''!MoinMoin Version''' || 1.9.2 ||
|| '''OS and Version''' || Linux ||
|| '''Python Version''' || 2.5 ||
|| '''Server Setup''' || Apache ||
|| '''Server Details''' || N/A ||
|| '''Language you are using the wiki in''' (set in the browser/UserPreferences) || N/A ||

== Workaround ==
## How to deal with the bug until it is fixed

{{{#!python
diff -r 172146fe48a2 MoinMoin/PageEditor.py
--- a/MoinMoin/PageEditor.py    Tue May 11 23:08:11 2010 +0200
+++ b/MoinMoin/PageEditor.py    Thu Jun 03 12:16:26 2010 +0400
@@ -278,14 +278,15 @@
         elif 'template' in request.values:
             # If the page does not exist, we try to get the content from the template parameter.
             template_page = wikiutil.unquoteWikiname(request.values['template'])
+            template_page_escaped = wikiutil.escape(template_page)
             if request.user.may.read(template_page):
                 raw_body = Page(request, template_page).get_raw_body()
                 if raw_body:
-                    request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page, ), 'info')
+                    request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page_escaped, ), 'info')
                 else:
-                    request.theme.add_msg(_("[Template %s not found]") % (template_page, ), 'warning')
+                    request.theme.add_msg(_("[Template %s not found]") % (template_page_escaped, ), 'warning')
             else:
-                request.theme.add_msg(_("[You may not read %s]") % (template_page, ), 'error')
+                request.theme.add_msg(_("[You may not read %s]") % (template_page_escaped, ), 'error')
 
         # Make backup on previews - but not for new empty pages
         if not use_draft and preview and raw_body:
}}}

= Discussion =

Is there already a CVE assigned for this?

= Plan =
## This part is for Moin``Moin developers:

 * Priority: 
 * Assigned to:
 * Status:
  * template-param patch from above applied by [[http://hg.moinmo.in/moin/1.9/rev/68ba3cc79513|68ba3cc79513]].
  * 1.7 fixed in [[http://hg.moinmo.in/moin/1.7/rev/37306fba2189|37306fba2189]] (with [[http://hg.moinmo.in/moin/1.7/rev/f8871116c6b3|f8871116c6b3]] adding missed in `action/login.py` `wikiutil` module)
  * 1.8 fixed in [[http://hg.moinmo.in/moin/1.8/rev/4238b0c90871|4238b0c90871]] (with [[http://hg.moinmo.in/moin/1.8/rev/bb27a4b9dfe3|bb27a4b9dfe3]] adding missed in `action/login.py` `wikiutil` module)
  * 1.9 fixed in [[http://hg.moinmo.in/moin/1.9/rev/4fe9951788cb|4fe9951788cb]] (separate fix for SlideShow action), [[http://hg.moinmo.in/moin/1.9/rev/e50b087c4572|e50b087c4572]] + [[http://hg.moinmo.in/moin/1.9/rev/60fde500cbc2|60fde500cbc2]] (with [[http://hg.moinmo.in/moin/1.9/rev/282ff1a50c4d|282ff1a50c4d]] adding missed in `action/login.py` `wikiutil` module)

----
## If you are a moin core developer, replace the category to Category* in these cases:
## Category MoinMoinNoBug - if this is not a bug.
## Category MoinMoinBugConfirmed - if you can confirm the bug on current code.
## Category MoinMoinBugFixed - after the bug is fixed in current code.
CategoryMoinMoinBugFixed