New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTML Injection #2857
Comments
|
All left menu search fields are affected! (Contacts, products, members…) This would allow to craft a malicious URL embedding a nasty script. Good catch! |
|
Thanks!! I hope that this help you to increase the security of this product :)) Regards. |
|
Versions 3.5 and 3.6 also affected! |
|
This is everywhere. Will take a bit of time to fix'em all… |
|
Patch was merged so i close the bug |
|
Is it fixed or not fixed? The bug has been closed&reopened |
|
I think that is not fixed yet. 2015-12-28 16:57 GMT+01:00 Marcos García notifications@github.com:
|
|
@marcosgdf Some has been fixed (The specifically reported ones). But vulnerable code is still all over the place. This is a profound issue with Dolibarr's project coding practices (Very low level, very light abstraction model, so everything needs to be escaped manually and is almost always forgotten). Quite a lot of work is still to be done. Check the commit I did to fix the original issue to have a glimpse at what needs to be done elsewhere and feel free to help ;) |
|
Upon closer inspection, my fix (for 3.5) has not made it to develop (future 3.9)! |
… data by default This should mitigate most HTML injections allowing XSS.
… data by default This should mitigate most HTML injections allowing XSS.
|
Branch were merged. However, it is possible that conflict were not correctly solved and we lost changes. |
[*] Page affected
[*] Fields affected
[*] Poc
You only need to inject the script code in this field like a:
"> < img src='http://www.xxx.com >
The text was updated successfully, but these errors were encountered: