01266: refcount uses invalid XHTML markup
Description:
"?action=refcount" produces invalid XHTML. It looks like "HTML 4.01 Transitional", but PmWiki uses "XHTML 1.0 Transitional". So the function PrintRefCount() in scripts/refcount.php requires an "update":
- Each empty tag like <input>, <br>, <hr> etc requires an ending it with "/>".
- <option> lists must be closed by a </option>
- minimized attributes like "checked", "selected" etc must be written as "checked='checked'"
- <p> must be closed by </p>
Maybe there are other flaws to be verified, but the few are the obvious ones I've seen.
Additionally there are two other bugs in there:
- <form method='post'>
A <form> requires an "action" attribute, otherwise the W3C markup validator claims an error. Should be$_SERVER['REQUEST_URI']or similar. <input type='hidden' action='refcount'>
There's no attribute "action". It should be<input type='hidden' name='action' value='refcount' />
Verifying is easy:
- Visit http://validator.w3.org/ ,
- then enter "http://www.pmwiki.org/wiki/?action=refcount"
- and finally "Check".
You'll get 371 errors (by now).
- Then remove the "?action=refcount" portion
- and "Revalidate".
You'll get "This document was successfully checked as XHTML 1.0 Transitional!"
Thanks! The action now validates, but there still may be some forgotten bug. :-) --Petko September 22, 2011, at 05:14 PM
XSS can easily happen in the <option> values - check the $tlist and $flist processing if you're bored right now ;)
RRipley 2011-09-22 22:30 UTC
At the moment I don't see how, the option values and labels come from the internal ListPages() function, not from $_REQUEST (it is only checked to enable "selected" options). --Petko September 22, 2011, at 05:55 PM
You are right. There's no direct XSS entry point since the $GroupPattern and $NamePattern do not allow HTML markup characters. So, refcount can be declared fixed.
RRipley 2011-09-23 06:10 UTC