Ack!
Thanks very much for noticing this and reporting it so thoroughly, Paul.
I'm attaching a fix that applies to the slideshow. Doing it as a patch, because I'm not sure how branches work with private bug reports. This receives from twitter.com using https, and it encodes any URIs it receives using the appropriate functions. With this patch, Paul's attack (if it got around https) would generate a link like this:
Ack!
Thanks very much for noticing this and reporting it so thoroughly, Paul.
I'm attaching a fix that applies to the slideshow. Doing it as a patch, because I'm not sure how branches work with private bug reports. This receives from twitter.com using https, and it encodes any URIs it receives using the appropriate functions. With this patch, Paul's attack (if it got around https) would generate a link like this:
<a class="twitter-url" href="javascrip t:alert( document. body.innerHTML) %22%20onmouseov er=%22% 20xmlhttp% 20=%20new% 20XMLHttpReques t();%20xmlhttp. onreadystatecha nge%20= %20function( )%20%7B% 20if%20( xmlhttp. readyState% 20==%204) %20%7B% 20alert( 'XSSed! %20...% 20'%20+ %20xmlhttp. responseText) ;%20%7D% 20%7D;% 20xmlhttp. open('GET' ,%20'file: ///target/ etc/passwd' ,%20true) ;%20xmlhttp. send(null) ;%20%22% 20style= %22z-index: 100;position: absolute; top:0px; left:0px; width:100% 25;height: 100%25; ">buzz. mw/_uuI1j< /a>
That is, it wouldn't link anywhere.