Cross-Site Scripting Vulnerability

[tch1bo]

Hello,

I noticed a Cross-Site Scripting (XSS) Vulnerability in line

dataviva-site/dataviva/apps/embed/views.py

Line 432 in 5bb4dac

return "/static/downloads/" + filenameDownload + ".zip"

It can be triggered by executing a request with title set to <img src=x onerror=evil_code> and downloadToken set to e.g. 1.

The malicious payload <img src=x onerror=evil_code> will then be injected in the returned HTML-page and sent to user. This will cause evil_code to get executed in user's browser.

This is a serious security issue and i would advise you to fix it ASAP. A possible fix is fairly easy, change the faulty line to:

return "/static/downloads/" + flask.escape(filenameDownload) + ".zip"

This will fix the XSS problem and will not harm in legit usecases.

Please note that i am not a regular contributor to your project. I found the bug while testing DeepCode’s AI Code Review. The tool can help you automate the process of finding such (and many other types of) bugs. You can sign-up your repo (free for Open Source) to receive notifications whenever new bugs are detected. You can give it a try here.

Any feedback is more than welcome at chibo@deepcode.ai.

Cheers, Victor.