Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-31616

"Safe HTML" vulnerable to protocol-relative form action

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Labels:
    • Environment:
    • Similar Issues:

      Description

      With "safe html" enabled for user text entry, a form with an external action URI is scrubbed. However, is it possible to write a form having a protocol-relative action URI that could be used to leak sensitive data to an external service.

      For example, this HTML is scrubbed correctly with the form action removed:

      <form action="https://malicious.com">
      <input type="submit">
      </form>

      The form action in this example is not scrubbed and it is possible for a user to create a form that directs to an external site:

      <form action="//malicious.com">
      <input type="submit">
      </form>

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              danielbeck Daniel Beck
              Reporter:
              jec Josh Cook
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: