[tahoe-dev] [tahoe-lafs] #1142: Unlikely XSS Potential in File Names in WUI
Chris Palmer
chris at noncombatant.org
Wed Aug 4 23:30:53 UTC 2010
> Do we know what their HTML-detector looks like? Is is looking at the start
> of the body, or in the middle? Specifically, would a text/plain response
> that says "No such child: <html><body><div>yay XSS</div></body></html>"
> get picked up as HTML?
I think it would, yes. I don't the exact details of their HTML detector ---
google around for [ mime sniffing ]. Generally, assume IE will do everything
it can to treat anything (even JPEGs... apparently...) as HTML/JavaScript.
> If it's really stupid and looks in the middle, I suppose our defense is to
> return a text/html error message in which the filename has been safely
> encoded. (the CLI tools use a "Accept: text/plain, application/octet-
> stream" header, and I imagine IE accepts text/html, so we can have the
> server continue to give text/plain to the CLI tools).
If you're confident in your encoding, sure.
More information about the tahoe-dev
mailing list