Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Xss in check spelling #4524

Closed
rcubetrac opened this issue Apr 14, 2014 · 4 comments
Closed

Xss in check spelling #4524

rcubetrac opened this issue Apr 14, 2014 · 4 comments
Labels
bug C: Mail composing
Milestone
1.0.1

Comments

@rcubetrac
Copy link

Reported by skyice on 14 Apr 2014 12:06 UTC as Trac ticket #1489806

Hello,

When you use the check-spelling with non-html editor, you have an input where you can write something
[you add in the input something like that :
<img src="x"onerror="alert(/xss/)"/>

A popup will appear :

[[Image(http:_skyice.fr/images/popup.PNG)]([Image(http:_skyice.fr/images/input.PNG)]]

If)]

Migrated-From: http://trac.roundcube.net/ticket/1489806
@rcubetrac
Copy link
Author

Comment by @thomascube on 14 Apr 2014 12:43 UTC

So what? You can only XSS yourself with this. When ending spell checking mode, that's turned into regular text. Not very nice but no harmful content is being sent to others from this.

@rcubetrac
Copy link
Author

Comment by @alecpl on 14 Apr 2014 13:06 UTC

This was simply to fix. Done in eb0dec9.

@rcubetrac
Copy link
Author

Status changed by @alecpl on 14 Apr 2014 13:06 UTC

new => closed

@rcubetrac
Copy link
Author

Milestone changed by @alecpl on 14 Apr 2014 13:06 UTC

later => 1.0.1

@rcubetrac rcubetrac added this to the 1.0.1 milestone Mar 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug C: Mail composing
Projects
None yet
Milestone
1.0.1
Development

No branches or pull requests
1 participant
@rcubetrac