Page MenuHomePhabricator

Cargo allows storing javascript URLs in URL fields, and automatically linking them
Closed, ResolvedPublicSecurity


You can declare a cargo table with a field of type URL. You can then store urls like javascript:alert(1) in them. These urls can be malicious and a user could be tricked into clicking on them. Cargo should probably not allow storing javascript: scheme urls

Note: Its notoriously difficult to blacklist javascript: protocol urls, because browsers accept lots of variants. MediaWiki usually solves this problem by whitelisting good url protocols, although i don't know if cargo considers it acceptable to only allow a small set of good urls. Maybe cargo should allow everything, but only automatically link things that meet wfUrlProtocols();


Author Affiliation
Other (Please specify in description)

Event Timeline

Bawolff changed Author Affiliation from N/A to Other (Please specify in description).Mar 6 2023, 5:54 PM

I think you'd need to escape $value if $escapeValue is true.

Otherwise looks good.

Yaron_Koren claimed this task.

Good point - I added that here: I think this task can be closed.

[marking as public since resolved]

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 5 2023, 11:36 AM
Bawolff changed the edit policy from "Custom Policy" to "All Users".