If members of your plone site are allowed to insert html, your site may be vulnurable to XSS attack. By default Plone register Kupu as default editor for members and kupu allows html inserting. Just click on the 'html' picture. To filter javascripts Plone rely on safe_html transform which can be easily bypassed.
Take this example:
- Create a new document
- Disable Javascript and CSS from your browser
- write in the Text field:
- save and see your document in IE6
safe_html transform cannot filter the example above. IE6 will execute it without problem.
Take this example:
- Create a new document
- Disable Javascript and CSS from your browser
- write in the Text field:
<img src="j ava sc ript:alert(document.cookie)" />
- save and see your document in IE6
safe_html transform cannot filter the example above. IE6 will execute it without problem.
01 Nov 2007 05:34:50
It's a bit confusing since your posts do not have dates on them, but: which version of Plone was this?
I just tried it on Plone 3, and it is certainly filtered out there.
01 Nov 2007 09:00:10
Hi Alexander,
Your are right about dates. I will move to a Plone based blog soon :)
This is an old post. I dont remeber the Plone version. But you are right: Plone filters XSS now.
It's me and Anton who added the filtering for XSS in portal transform. It was for Plone 2.5 if I remember.