Node titles are printed in the trackback RDF with no encoding or alteration. Even though the RDF is placed in an html comment it is only necessary to place 2 adjacent hyphens in a title to end the comment. The following is an example of a node title that would cause javascript to be executed for every visitor if the node had trackbacks enabled.

A test --> <script>alert('gotcha')</script>

At the minimum the title included in the RDF element should be passed through check_plain() but because it is inside an html comment the dashes must be encoded in some way to prevent such exploits. The obvious solutions are to replace -- with &ndash; or to eliminate this dubious feature altogether. It seems that trackback rdf never caught on anyway.

Double hyphens are often used by authors so even ignoring the exploit risk (assuming all authors are trusted), any instance of -- in a page title will cause the html comment to end and the rdf to be visible.

Comments

zorac’s picture

zorac CreditAttribution: zorac commented
Status: Active » Fixed

This issue is fixed. Now Trackback 5.x-1.3 and 4.7.x-1.3 are released.
Thank you, tangent.

Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)