My high school buddy Kevin forwards along a reference to a vulnerability in the Blosxom writeback plugin. The advisory is on insufficient HTML validation to strip out malicious script code. However, I’m not sure what version of writeback they are looking at because by a visual inspection what I have doesn’t have this problem. They say the issue is:
In the writeback plugin, the code to filter out tags is a simple regular expression: “s/<.*?>//mg”. So entering scripts as “<script>alert(‘test’);</script>” will get filtered into “alert(‘test’);” and no code will be executed by the client.
Now as I dig through, I see that I’m using the writebackplus, which doesn’t appear to have this vulnerability. This is the thing that was even stripping out the paragraph tags that so irked some correspondents. Just to be sure, I’ll leave myself a writeback to test this out. For those of you out there using the original writeback plugin, I’d recommend either fixing the regular expression yourself if you can or switching to writebackplus. If in doubt, temporarily remove this plugin while you sort it out.