New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stored XSS on forum #1661
Comments
|
This thing is available only to administrators. This is related to the HTML Purifier settings. Administrators have more permissions than regular users. It is needed to disable JavaScript in HTMLPurifier somehow for admins too. |
|
|
Creating blacklists is not best practice, you should use whitelist. For example, you disable the <script> tag, but the payload |
|
Are you suggesting to make a whitelist with all possible valid options, except for the <script> tag :)?
Really? I can't reproduce this case. Moreover, this situation is only possible if administrator will save text with the XSS script. Regular users has more stricter HTMLPurifier settings. |
He is saying to only allow (whitelist) e.g. plain text. Thus you will automatically reject everything else. |
|
I understood, but in this case it is needed all options from HTMLPurifier default policy except JS tag and attributes ) |
Hello, we found the stored xss on forum.
Tested on latest version 0.9.20.
Poc:
The text was updated successfully, but these errors were encountered: