Ticket #1347 (closed bug: fixed)

Opened 2 years ago

Last modified 2 years ago

Strip "javascript:" from display click link

Reported by: jeroen Owned by: pablo
Priority: Milestone: Player 5.7
Component: general Keywords:
Cc: Forum thread:

Description (last modified by pablo) (diff)

When the option "displayclick=link" is enabled, one could execute javascript instead of visiting a link. Example:

 http://server.com/player.swf?file=video.mp4&link=javascript:alert(document.cookie)&linktarget=_self&displayclick=link&autostart=true&controlbar=none

This can get fixed by sniffing for and removing javascript:, much like we do this for asfunction:. This sniffing/removal can be done at playlist loading or on display click (since displayclick=link is the only possible mechanism)

Credit for finding this bug goes to Szymon Gruszecki (CVE-2011-2413)

Change History

comment:1 Changed 2 years ago by pablo

  • Status changed from new to closed
  • Resolution set to fixed

Completed in [1821]

comment:2 Changed 2 years ago by pablo

  • Description modified (diff)

comment:3 Changed 2 years ago by pablo

  • Description modified (diff)

comment:4 Changed 2 years ago by pablo

  • Description modified (diff)
Note: See TracTickets for help on using tickets.