W3C home > Mailing lists > Public > www-validator@w3.org > October 2002

Re: Multiple cross-site-scripting bugs

From: Olivier Thereaux <ot@w3.org>
Date: Fri, 4 Oct 2002 13:12:03 +0900
Cc: www-validator@w3.org
To: Tom Gilder <tom@tom.me.uk>
Message-Id: <701C3BFA-D74F-11D6-BF9D-000393BAB03A@w3.org>

Hi Tom, thanks a lot for this report. A few comments inline.

On Monday, Sep 30, 2002, at 23:06 Asia/Tokyo, Tom Gilder wrote:

>
> Hello, there are multiple ways to insert HTML and scripting into the
> validator...

Cross site scripting vulnerabilities seem to be trendy these days :)

> * Simple querystring:
>   
> http://validator.w3.org/check?uri=http://<script>alert("boo")</script>

Yes, we were aware of this one, and it's fixed in the development 
version. It should be released fairly soon, and we'll encourage people 
running a local validator to upgrade.

> * Character encoding HTTP header:
>   Returning "Content-type: text/html; charset=<script>...</script>"
>   http://validator.w3.org/check?uri=http://tom.me.uk/2002/9/val.asp

Oh, that's a clever one. Ugly, but clever. It seems that this problem 
exists in the dev version, too.

> * Server HTTP header - "Server: <script>...</script>"
> * Content-length HTTP Header - "Content-length: <script>...</script>"

I'm not able to test it with the development version of the validator 
now. Can you try with validator.w3.org:8001?
If you can't, no problem, we will try later.

> All of these should have the HTML escaped before outputting.

We'll try to address all this during the beta test period for the new 
version, due soon.

Thanks again, Tom.

-- 
Olivier Thereaux - W3C
http://www.w3.org/People/olivier | http://yoda.zoy.org
Received on Friday, 4 October 2002 00:12:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 25 April 2012 12:14:04 GMT