This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Add "<b onClick="javascript:alert('xss')">This should be bold</b>" as Long Description, view plugin, click on "bold" description, get the "XSS" popup . The whole idea of accepting HTML in some fields sounds like a can of worms. Maybe if it accepts some wiki/markdown formatted text that can be translated to HTML it would be much more secure. Otherwise, securing fields that accept and display raw HTML is a losing battle.
Also an issue when filling in the plugin "Home Page" field. Entering the following value (<b onClick="javascript:alert('xss')">This should be bold</b>) in the field causes the alert to be shown when I tab out of the field:
Actually, here's how to reproduce the issue w/ the Home Page / Website field: 1. Edit the plugin description. Enter the value ("http://www.google.com" onclick="alert('aaa');return false" href="#) -- w/o the parentheses -- into the field. Save the form. 2. Go back to editing the field. Click in the same field and the alert shows up. I was trying to make the link that is displayed on the details page (http://services.netbeans.org/pluginportal-2.0/plugin/38076/?show=true) to have an XSS issue. To get the XSS to execute on the plugin details page, use "javascript:alert('xss')" in the Home Page field.
The sample plugin that illustrates these issues is at http://services.netbeans.org/pluginportal-2.0/plugin/38076/?show=true .
Honzo, can you please take a look at this? Thanks!
Hi, the field with homepage_url is now secured. Problem with description fileds which allow html has to be resolved by some better output filtering or by using wiki markup as suggested.
Is the code that drives the new update center somewhere in the public hg repositories ? Also, is the new update center expected to release together w/ 7.0 ?
(In reply to comment #6) > Is the code that drives the new update center somewhere in the public hg > repositories ? Not. > Also, is the new update center expected to release together w/ 7.0 ? Yes, see http://wiki.netbeans.org/PluginPortal2Plan for more details about the schedule.
I installed and configured the html filtering engine which now cleans up output so there should not be xss possible now.
Is the new HTML filtering installed across the board for the whole application or is it set up only to handle the input from these couple of fields that were reported ? Also, could you please "approve" the sample plugin that I posted (listed in previous comments) so that I can see the rest of the application functionality ?
(In reply to comment #9) > Is the new HTML filtering installed across the board for the whole application > or is it set up only to handle the input from these couple of fields that were > reported ? Yes, AFAIK Honza fixed it in all places he found not only those you reported. > Also, could you please "approve" the sample plugin that I posted (listed in > previous comments) so that I can see the rest of the application functionality > ? Done. Alex, can you please verify this issue?
This issue has been addressed. I kicked the tires some more but was unable to create any new XSS issues.