GHSA-6FH7-FWQJ-MV49 HTML Purifier Cross-site Scripting vulnerability

Cross-site scripting XSS vulnerability in smoketests/configForm.php in HTML Purifier before 2.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "unescaped printr output."...

Nextcloud: URI scheme bypass in mail app lead to HTML content spoof and opener control

Bug When we load a HTML mail from mailbox via api, etc http://nextcloud/index.php/apps/mail/accounts//folders/SU5CT1g=/messages//html Our content will be passed to HTML Purifier to strip malicious XSS patterns. After that, an filter will apply to transform acceptable URI schemes http, https, ftp,...

TinyRise 最新版注射获取敏感信息

简要描述： TinyRise 最新版注射获取敏感信息 详细说明： 主要问题出在filterclass.php: public static function text$str $config = HTMLPurifierConfig::createDefault; $cachedir=Tiny::getPath'cache'."/htmlpurifier/"; if!fileexists$cachedir File::mkdir$cachedir; $config = HTMLPurifierConfig::createDefault; //配置 缓存目录...

TinyShop SQL注入（开启GPC，绕过过滤）

简要描述： 之前的都是找程序员的疏忽，这个位置是绕过程序的防注入。 详细说明： 环境： GPC = On public static function sql$str //过滤函数 if !getmagicquotesgpc //gpc off 就转义，把之前那个奇葩的漏洞补了 //不使用主要是因为，先有mysql的连接 //$str = mysqlrealescapestring$str; $str = addslashes$str; $str =...

[SECURITY] Fedora 19 Update: php-htmlpurifier-htmlpurifier-4.6.0-1.fc19

Standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code better known as XSS with a thoroughly audited, secure yet permissive white list, it will also make sure your documents are standards compliant, something only achievable with a...

[SECURITY] Fedora 20 Update: php-htmlpurifier-htmlpurifier-4.6.0-1.fc20

Standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code better known as XSS with a thoroughly audited, secure yet permissive white list, it will also make sure your documents are standards compliant, something only achievable with a...

Fedora 19 : php-htmlpurifier-htmlpurifier-4.6.0-1.fc19 (2014-9379)

HTML Purifier 4.6.0 is a major security release, fixing numerous bad quadratic asymptotics in HTML Purifier's core algorithms. Most users will see a decent speedup on large inputs, although small inputs may take longer. Additionally, the secure URI munging algorithm has changed to do a proper HMA...

Fedora 20 : php-htmlpurifier-htmlpurifier-4.6.0-1.fc20 (2014-9361)

HTML Purifier 4.6.0 is a major security release, fixing numerous bad quadratic asymptotics in HTML Purifier's core algorithms. Most users will see a decent speedup on large inputs, although small inputs may take longer. Additionally, the secure URI munging algorithm has changed to do a proper HMA...

CVE-2011-3744

HTML Purifier 4.2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tests/PHPT/Reporter/SimpleTest.php and certain other files...

CVE-2011-3744

HTML Purifier 4.2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tests/PHPT/Reporter/SimpleTest.php and certain other files...

UBUNTU-CVE-2011-3744

HTML Purifier 4.2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tests/PHPT/Reporter/SimpleTest.php and certain other files...

Design/Logic Flaw

HTML Purifier 4.2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tests/PHPT/Reporter/SimpleTest.php and certain other files...

CVE-2011-3744

HTML Purifier 4.2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tests/PHPT/Reporter/SimpleTest.php and certain other files...

CVE-2011-3744

CVE-2011-3744 affects HTML Purifier 4.2.0. The vulnerability allows remote attackers to obtain sensitive information by requesting a .php file directly, causing an error message that reveals the installation path (as shown in tests/PHPT/Reporter/SimpleTest.php and related files). Multiple connect...

CVE-2010-4183

Multiple cross-site scripting XSS vulnerabilities in HTML Purifier before 4.1.0, when Internet Explorer is used, allow remote attackers to inject arbitrary web script or HTML via a crafted 1 background-image, 2 background, or 3 font-family Cascading Style Sheets CSS property, a different...

DEBIAN-CVE-2010-4183

Multiple cross-site scripting XSS vulnerabilities in HTML Purifier before 4.1.0, when Internet Explorer is used, allow remote attackers to inject arbitrary web script or HTML via a crafted 1 background-image, 2 background, or 3 font-family Cascading Style Sheets CSS property, a different...

CVE-2010-4183

Multiple cross-site scripting XSS vulnerabilities in HTML Purifier before 4.1.0, when Internet Explorer is used, allow remote attackers to inject arbitrary web script or HTML via a crafted 1 background-image, 2 background, or 3 font-family Cascading Style Sheets CSS property, a different...

CVE-2010-4183

Multiple cross-site scripting XSS vulnerabilities in HTML Purifier before 4.1.0, when Internet Explorer is used, allow remote attackers to inject arbitrary web script or HTML via a crafted 1 background-image, 2 background, or 3 font-family Cascading Style Sheets CSS property, a different...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in HTML Purifier before 4.1.0, when Internet Explorer is used, allow remote attackers to inject arbitrary web script or HTML via a crafted 1 background-image, 2 background, or 3 font-family Cascading Style Sheets CSS property, a different...

CVE-2010-4183

HTML Purifier 0.x/1.x up to 4.0.x is affected by CVE-2010-4183. When using Internet Explorer, an attacker can trigger XSS via crafted CSS properties (background-image, background, or font-family) to inject script/HTML. The vulnerability is tied to HTML Purifier before 4.1.0; remediation is to upg...