[Cosmo-dev] Bug 9930: XSS vulnerability (or, h4x0r5 will steal ur passwurds!)

[Travis Vachon]

Hi folks

During bug council today it was mentioned that we need to have a list  
discussion about bug 9930. For anyone that hasn't seen it, this is a  
pretty classic example of what wikipedia refers to as a "type 2" XSS  
bug: http://en.wikipedia.org/wiki/XSS

The long and short of this is that anyone can run arbitrary code in  
the web ui by setting the title of an event to some sneaky html. To  
try this out, log in to any recent version of Cosmo before r5077 for  
example, qacosmo as of right now) and enter "<img  
src='doesntexist.jpg' onerror='alert(cosmo.util.auth.getPassword())'/ 
 >" as the title of an event. It would be an easy extension of this  
to put the password in an event and save it to the server, allowing  
anyone subscribed to the calendar you are looking at to see your  
password.

I've gone ahead and fixed this particular bug, and confirmed that  
this is not a problem in the calendar ui or the collection selector.  
That said, we should probably do a full review of the UI and the UI  
code at some point to make sure there are no other places that this  
could happen. From the discussion in IRC today it sounds like the  
current feeling is that this review will be punted to post preview,  
possibly 0.7.1 (the real, new 0.7.1 ;-) ) but we felt it should be  
discussed on the list to make sure there is community agreement. At  
least part of the reasoning behind this feeling is that we expect our  
users to have some sort of trusting relationship with anyone they  
share their calendars with.

Personally, I would suggest that we consider any XSS bugs we find  
blockers for the release, since they tend to be easy to fix (see  
r5077) but wait until later to do a thorough code review. Perhaps  
foolishly, I volunteer to grab any that we find.

Let the debate (or lack thereof) begin!

-Travis