New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTML Injection not filtered correctly #4291
Labels
Priority - High / Blocking
This is a security hole or a bug that make a feature not possible to use or very expected feature.
Security
This is a bug identified as a security bug
Comments
|
Well, except it is not saved (If you refresh the page, the field is empty). No big deal. |
rdoursenaud
added a commit
to GPCsolutions/dolibarr
that referenced
this issue
Jan 8, 2016
rdoursenaud
added a commit
to GPCsolutions/dolibarr
that referenced
this issue
Jan 8, 2016
… data by default This should mitigate most HTML injections allowing XSS.
rdoursenaud
added a commit
to GPCsolutions/dolibarr
that referenced
this issue
Jan 8, 2016
… data by default This should mitigate most HTML injections allowing XSS.
eldy
added a commit
that referenced
this issue
Jan 8, 2016
FIX #4291 Correctly filter external calendar GETPOSTs
rdoursenaud
added a commit
to GPCsolutions/dolibarr
that referenced
this issue
Jan 11, 2016
eldy
added a commit
that referenced
this issue
Jan 12, 2016
FIX #4291 Correctly filter bank card GETPOSTs
eldy
pushed a commit
that referenced
this issue
Jan 25, 2016
eldy
pushed a commit
that referenced
this issue
Apr 29, 2016
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Priority - High / Blocking
This is a security hole or a bug that make a feature not possible to use or very expected feature.
Security
This is a bug identified as a security bug
Hi,
You have a html injection in field "url" from the external calendar. You only need to edit the url parameter like: http://">< h1>injection< /h1> to see the html injection.
Regards
I see others fields like the bank name that is suceptible to html injection because all fields are not correctly parsed to avoid this issue:
The text was updated successfully, but these errors were encountered: