HTML/JavaScript Execution in Metadata
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
calibre |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Calibre 1.7 (Portable)
MS Windows 7 Professional SP1
Some metadata fields (at least "Authors") allow for the interpretation of HTML and JavaScript code.
Examples:
Author: <script>for (var i = 1; i <=3; i++){alert(
(only a nuisance, but could be turned into an infinite loop)
Author: <a href="http://
(clicking on the name of the author in the right panel takes the user to a web site. This could be abused to take unsuspecting users to web sites they don't want to visit)
Author: <img src="http://...">
(loads a remote image as soon as the user clicks on the list entry. It requires less user interaction than the two above and could be abused to track readers without them noticing; in my opinion, this is a privacy concern)
Author: <iframe src="http://...">
(can be abused as a combination of the previous two)
Author: <script>
(UI can be changed to trick users into downloading malicious software)
information type: | Private Security → Public Security |
Fixed in branch master. The fix will be in the next release. calibre is usually released every Friday.
status fixreleased