I'm an Onward 2016 author, and I noticed that the conference web site allows unfiltered HTML in my abstract, as the text field placeholder helpfully advertises. A malicious author who could entice another user to view their abstract while logged in could write JavaScript to execute arbitrary actions with the privileges of that user. As a simple demo, if you view my abstract, you'll see "oops" in the browser console.

Please turn on the filtering, unless you believe it would be likely to break legitimate use cases.

I can't confirm whether this problem is broader than Onward 2016, but I asked the PC chair (Emerson Murphy-Hill) and he told me to file a bug here.

Submitted by Matt McCutchen on 25 August 2016 at 08:51

On 25 August 2016 at 09:20 Elmer van Chastelet commented:

Hi Matt, thanks for sharing.

This is indeed a security issue. We previously filtered all markdown text for specific HTML/JS, but later removed this filtering at specific places that were to be managed by content managers of the conference editions/tracks. At that moment, authors were not allowed to edit parts of the event details of their paper. I think we started supporting unfiltered HTML in abstracts to have some way to embed some slides or video in the abstract. But this is not needed anymore, as we have separate fields for embedded media.
Because authors of papers can now edit the event details, including the abstract, we should definitely filter the markdown texts again. I'll try to fix this today.

On 25 August 2016 at 09:45 Matt McCutchen commented:

Great. As an aside, I realize that if content managers can still use unfiltered HTML, then they could collect user passwords and use them to log in to other conference sites. That could be fixed by having users enter their password only on http://conf.researchr.org and using a single sign-on protocol such as OpenID Connect to log in to conference sites. Do you care? Shall I file a separate bug?

On 26 August 2016 at 10:24 Elmer van Chastelet tagged 0.9._56

On 26 August 2016 at 11:09 Elmer van Chastelet commented:

We are planning to improve login later this year, so you only needs to log-in once for all conf-hosted conferences served from any domain.

On 26 August 2016 at 11:09 Elmer van Chastelet closed this issue.

Log in to post comments