[ckan-dev] cross-site scripting issue with resource preview

• Previous message: [ckan-dev] problem downloading some of the files
• Next message: [ckan-dev] cross-site scripting issue with resource preview
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello everybody,

I'm using CKAN 2.2.1 with the datapusher extension and recline preview 
for csv- and txt-files.
A penetration test raised the following issue:

After uploading the following "CSV" file and pushing it to the datastore 
a preview of
the resp. resource leads to an alert popup showing "123".
So at least the contents of header is being evaluated and leads to code 
execution during
preview:

========== cut ============
field1;field2<script>alert(123)</script>;field3
data1;data2;data3"><script>alert(456)</script>
========== cut ============

Same code executing happens if a text file with the followings contents 
will be uploaded
and previewed:

========== cut =============
<script>alert(document.cookie)</script>
========== cut =============

Is this an already known issue ? Any way to  prevent this ?

Many thanks

Thomas

• Previous message: [ckan-dev] problem downloading some of the files
• Next message: [ckan-dev] cross-site scripting issue with resource preview
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]