Javascript Injection

General inquiries about the PKP.

Moderators: jmacgreg, btbell, michael, bdgregg, vgabler, barbarah, John

Forum rules
The Public Knowledge Project Support Forum is moving to http://forum.pkp.sfu.ca

This forum will be maintained permanently as an archived historical resource, but all new questions should be added to the new forum. Questions will no longer be monitored on this old forum after March 30, 2015.
cesarecontini
Posts: 2
Joined: Mon Mar 17, 2014 9:04 am

Javascript Injection

Postby cesarecontini » Mon Mar 17, 2014 9:12 am

I have been testing PHK Open Journal System (v. 2.4.2) and I can see that when submitting forms in general, if I try to inject javascript bits of code i.e. <script>alert('hello')</script> these won't be removed. As this would be a great threat for XSS attacks, is it possible to set a XSS filter, somewhere in the settings?

Regards,
Cesare

JasonNugent
Site Admin
Posts: 910
Joined: Tue Jan 10, 2006 6:20 am

Re: Javascript Injection

Postby JasonNugent » Mon Mar 17, 2014 10:28 am

Hi Cesare,

We do not alter what is submitted, but all unsafe HTML like script elements are already filtered out when content is displayed for viewing, like on an article's abstract page. We incorporate a PHP library called HTML Purifier that has a configuration setting in config.inc.php that determines what tags are allowed and which ones are not.

Regards,
Jason

cesarecontini
Posts: 2
Joined: Mon Mar 17, 2014 9:04 am

Re: Javascript Injection

Postby cesarecontini » Tue Mar 25, 2014 6:37 am

Dear Jason,

many thanks for your reply. Does the HTML Purifier need to be configured when you have a fresh install in place? It looks like that it any form I submit would not filter any <script> tag either for tynyMCE-based fields or ordinary html form fields like text/textarea inputs.

Regards,
Cesare Contini

JasonNugent
Site Admin
Posts: 910
Joined: Tue Jan 10, 2006 6:20 am

Re: Javascript Injection

Postby JasonNugent » Thu Apr 03, 2014 6:55 am

Hi Cesare,

We never strip during storage, only during display. There is a configuration option within our TinyMCE plugin for allowed HTML but the HTML Purifier is used in our display templates when |strip_unsafe_html is added as a filter to displayed output. It's there automatically.

Regards,
Jason


Return to “General Discussion”

Who is online

Users browsing this forum: Yahoo [Bot] and 0 guests