Taulmarill has asked for the wisdom of the Perl Monks concerning the following question:

As i was looking for a nice BBCode2HTML converter i came across the following behavior of the Module which i think is a bug which could be exploited to insert JS.
[color=blue" onmouseover="this.innerHTML = 'XSS']test[/color]
becomes
<span style="color: blue" onmouseover="this.innerHTML = 'XSS'">test</span>

I used the following script to test this behavior: 
use strict;
use warnings;

use HTML::BBCode;

my $bbcode = q~[color=blue" onmouseover="this.innerHTML = 'XSS']test[/
+color]~;
my $bbc = HTML::BBCode->new( {
    no_html      => 1,
    no_jslink    => 1,
    linebreaks   => 1,
} );
print $bbc->parse($bbcode);
print "\n";

[download]
If i made a mistake or there is a workaround other than disabling the color-tag (and maybe other tags, too), please let me know. Also i would like to hear other suggestions for BBCode2HTML converters (doesn't have to be exactly BBCode, could be something similar) that are known to be safe for public websites.

Replies are listed 'Best First'.
Re: XSS-Bug in HTML::BBCode
by moritz (Cardinal) on Aug 14, 2007 at 13:39 UTC
    This looks like a (severe) bug indeed. Did you notify the author of HTML::BBCode?

    (Update: fixed link)

[reply]
      Just posted a bug report on http://rt.cpan.org
      It took me a while to find my password for PAUSE, cause i use it rarely.
[reply]

        Thanks for reporting!

        I'll see if I can patch it asap. Any pointers on how to prevent this in a nice way could be helpful :-)

        --
        b10m

        All code is usually tested, but rarely trusted.
[reply]

Back to Seekers of Perl Wisdom