Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Persistent Cross-Site Scripting #408

Open
willasaywhat opened this issue Feb 24, 2018 · 1 comment
Open

Persistent Cross-Site Scripting #408

willasaywhat opened this issue Feb 24, 2018 · 1 comment
Labels
Security
Milestone
Backlog

Comments

@willasaywhat
Copy link

If you set the first name (or any other field) of a user's record to include <script>alert(1)</script> the application will alert 1 on any screen that username is shown. Likewise this can be used to redirect to another site and/or access cookies and other browser based activities. Output should be HTML encoded for any and all user supplied data.
@elplatt
Copy link
Owner

elplatt commented Mar 1, 2018

Good catch!

I think the solution here is to implement a check_plain() function similar to drupal's and make sure it gets called on all user submitted data. I'll do this if I get time but could definitely use some help.

@elplatt elplatt mentioned this issue Mar 19, 2018
Merged
@chris18890 chris18890 added this to the V0.5.6 milestone Mar 23, 2018
@chris18890 chris18890 modified the milestones: v0.5.8, v0.5.11 May 24, 2020
@chris18890 chris18890 modified the milestones: v0.5.11, Backlog Feb 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@willasaywhat @elplatt @chris18890