XSS, CSRF replace #246

Open
wants to merge 1 commit into
from

Conversation

Projects
None yet
2 participants
@lispro06

lispro06 commented Sep 9, 2013

security vulnerability remove

XSS, CSRF replace
security vulnerability remove
@lispro06

This comment has been minimized.

Show comment Hide comment
@lispro06

lispro06 Sep 9, 2013

below the images show that approving problem using approved user's authority.

'view unapproved problems' menu is enabled for approved user(s).

When an approved user click CSRF problem, approve value(#) problem(s).

unapproved
approved
fixed

tested in other site for study.

lispro06 commented Sep 9, 2013

below the images show that approving problem using approved user's authority.

'view unapproved problems' menu is enabled for approved user(s).

When an approved user click CSRF problem, approve value(#) problem(s).

unapproved
approved
fixed

tested in other site for study.

@lispro06

This comment has been minimized.

Show comment Hide comment
@lispro06

lispro06 Sep 9, 2013

<form name="csrf" action="http://~/problem/reject" method="post" target="hidden">
<input type="hidden" name="id" value="91" />
</form>
<script>document.csrf.submit();</script>

above CSRF is remove value(91) problem using approved user's authority.

lispro06 commented Sep 9, 2013

<form name="csrf" action="http://~/problem/reject" method="post" target="hidden">
<input type="hidden" name="id" value="91" />
</form>
<script>document.csrf.submit();</script>

above CSRF is remove value(91) problem using approved user's authority.

@amcnamara

This comment has been minimized.

Show comment Hide comment
@amcnamara

amcnamara Oct 9, 2015

Member

While I'm inclined to agree that rendering HTML into the problem title/description etc is super bad form, many of the problems already have markup in their descriptions. We would need to edit them all before this change could land.

Member

amcnamara commented Oct 9, 2015

While I'm inclined to agree that rendering HTML into the problem title/description etc is super bad form, many of the problems already have markup in their descriptions. We would need to edit them all before this change could land.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment