-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There is a stored XSS in the article review area #38
Comments
@3lse The img tag not allow in comment, And i cat reproduce |
@94fzb Need to capture the package for reproduction |
@94fzb Maybe you have no restrictions on the server or storage. |
@3lse Comment use jsoup clean text, so img tag will remove when add comment |
@94fzb Here is a way of attack by middlemen, by modifying traffic packets to achieve the purpose of attack. |
So you need to do a verification of the received data to avoid this problem. |
Verification browser received data ? |
@94fzb yes! |
@3lse I think https is better way, and now the program support https |
@94fzb Maybe |
Comment area does not do input filtering
Poc
</p><img%20src=1%20onerror=alert(1)><p>
The text was updated successfully, but these errors were encountered: