CVE-2023-37256: ⚓ T331311 Cargo allows storing javascript URLs in URL fields, and automatically linking them

**

Cargo allows storing javascript URLs in URL fields, and automatically linking them

Closed, ResolvedPublicSecurity

**

• Edit Task

• Edit Related Tasks…

• Edit Related Objects…

• Mute Notifications

• Protect as security issue

• Award Token

• Flag For Later

You can declare a cargo table with a field of type URL. You can then store urls like javascript:alert(1) in them. These urls can be malicious and a user could be tricked into clicking on them. Cargo should probably not allow storing javascript: scheme urls

Note: Its notoriously difficult to blacklist javascript: protocol urls, because browsers accept lots of variants. MediaWiki usually solves this problem by whitelisting good url protocols, although i don’t know if cargo considers it acceptable to only allow a small set of good urls. Maybe cargo should allow everything, but only automatically link things that meet wfUrlProtocols();

Author Affiliation

Other (Please specify in description)

• Mentions

Event Timeline

Bawolff changed Author Affiliation from N/A to Other (Please specify in description).Mar 6 2023, 5:54 PM

Comment Actions

I think you’d need to escape $value if $escapeValue is true.

Otherwise looks good.

Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL