W3C home > Mailing lists > Public > www-rdf-validator@w3.org > March 2009

XSS vulnerability in RDF validation service

From: Philip Taylor <pjt47@cam.ac.uk>
Date: Mon, 16 Mar 2009 22:52:27 +0000
Message-ID: <49BED82B.3020000@cam.ac.uk>
To: www-rdf-validator@w3.org

See 
<http://www.w3.org/RDF/Validator/ARPServlet?URI=http%3A%2F%2Fphilip.html5.org%2Fdemos%2Frdfa%2Fmisc02.html&PARSE=Parse+URI%3A+&TRIPLES_AND_GRAPH=PRINT_TRIPLES&FORMAT=PNG_EMBED>

The validator displays strings without any escaping, allowing arbitrary 
script code to be executed in the www.w3.org security context.

-- 
Philip Taylor
pjt47@cam.ac.uk

Received on Monday, 16 March 2009 22:53:05 GMT

This message: [ Message body ]
Previous message: Henri Sivonen: "Re: Validating SVG+RDF"

Mail actions: [ respond to this message ] [ mail a new topic ]
Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
Help: [ How to use the archives ] [ Search in the archives ]

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:36:34 GMT