OJS OCS OMP OHS

You are viewing the PKP Support Forum | PKP Home Wiki



Javascript Injection

General inquiries about the PKP.

Moderators: jmacgreg, btbell, michael, bdgregg, vgabler, barbarah, John

Forum rules
Feel free to post general inquiries about the PKP Here. We'll also post notes of interest from time to time. You may also want to check out the PKP blog.

Javascript Injection

Postby cesarecontini » Mon Mar 17, 2014 9:12 am

I have been testing PHK Open Journal System (v. 2.4.2) and I can see that when submitting forms in general, if I try to inject javascript bits of code i.e. <script>alert('hello')</script> these won't be removed. As this would be a great threat for XSS attacks, is it possible to set a XSS filter, somewhere in the settings?

Regards,
Cesare
cesarecontini
 
Posts: 2
Joined: Mon Mar 17, 2014 9:04 am

Re: Javascript Injection

Postby JasonNugent » Mon Mar 17, 2014 10:28 am

Hi Cesare,

We do not alter what is submitted, but all unsafe HTML like script elements are already filtered out when content is displayed for viewing, like on an article's abstract page. We incorporate a PHP library called HTML Purifier that has a configuration setting in config.inc.php that determines what tags are allowed and which ones are not.

Regards,
Jason
JasonNugent
Site Admin
 
Posts: 864
Joined: Tue Jan 10, 2006 6:20 am

Re: Javascript Injection

Postby cesarecontini » Tue Mar 25, 2014 6:37 am

Dear Jason,

many thanks for your reply. Does the HTML Purifier need to be configured when you have a fresh install in place? It looks like that it any form I submit would not filter any <script> tag either for tynyMCE-based fields or ordinary html form fields like text/textarea inputs.

Regards,
Cesare Contini
cesarecontini
 
Posts: 2
Joined: Mon Mar 17, 2014 9:04 am

Re: Javascript Injection

Postby JasonNugent » Thu Apr 03, 2014 6:55 am

Hi Cesare,

We never strip during storage, only during display. There is a configuration option within our TinyMCE plugin for allowed HTML but the HTML Purifier is used in our display templates when |strip_unsafe_html is added as a filter to displayed output. It's there automatically.

Regards,
Jason
JasonNugent
Site Admin
 
Posts: 864
Joined: Tue Jan 10, 2006 6:20 am


Return to General Discussion

Who is online

Users browsing this forum: Yahoo [Bot] and 0 guests