Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixed issue #16611: not possible anymore to add xss when updating use…
…rs fullname in usermanagement (small change)
- Loading branch information
417388c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other areas of this application are still vulnerable to the XSS filter bypass mentioned in the bug report linked to this commit. Following the steps to recreate from this bug report (https://bugs.limesurvey.org/view.php?id=16591) will still trigger an XSS vulnerability when using the filter bypass payload described in this report (https://bugs.limesurvey.org/view.php?id=16611).
417388c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But more : XSS must be fixed in View, not controller …
417388c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, more information on implementing output encoding can be found in the "Remediation Resources" section of the linked reports above or here if needed: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html