You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a seemingly minor bug, but it is identical to the self-retweeting tweet so it should probably be addressed immediately. If HTML is placed into the title of the project, it is interpreted as such by the editor. This only does anything in the editor, and all other situations are either protected or do not show the title. Script tags are the scary part.
I think everywhere, the text is escaped when rendered. However here, it is client-side rendering and is manually injected by javascript. It is not very critical as only the author can actually see the edit page but it will affect someone who forks the same circuit.
Are you working on this issue? (Yes/No)
No
The text was updated successfully, but these errors were encountered:
armudgal
changed the title
HTML Injection
Reflected-XSS/HTML Injection
Mar 16, 2019
I want to work on this, and I think this is a quite serious issue.
I have a way to fix it in my mind. I tried to find the exact code piece that dynamically changes the title based on the project properties entry. I might need some help to locate that code piece and apply the fix.
Describe the bug
A user sent this mail
This is a seemingly minor bug, but it is identical to the self-retweeting tweet so it should probably be addressed immediately. If HTML is placed into the title of the project, it is interpreted as such by the editor. This only does anything in the editor, and all other situations are either protected or do not show the title. Script tags are the scary part.
I think everywhere, the text is escaped when rendered. However here, it is client-side rendering and is manually injected by javascript. It is not very critical as only the author can actually see the edit page but it will affect someone who forks the same circuit.
Are you working on this issue? (Yes/No)
No
The text was updated successfully, but these errors were encountered: