Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTML Injection not filtered correctly #4291

Closed
naxonez opened this issue Dec 24, 2015 · 1 comment
Closed

HTML Injection not filtered correctly #4291

naxonez opened this issue Dec 24, 2015 · 1 comment
Assignees
Labels
Priority - High / Blocking This is a security hole or a bug that make a feature not possible to use or very expected feature. Security This is a bug identified as a security bug

Comments

@naxonez
Copy link

naxonez commented Dec 24, 2015

Hi,

You have a html injection in field "url" from the external calendar. You only need to edit the url parameter like: http://">< h1>injection< /h1> to see the html injection.

Regards

untitled

I see others fields like the bank name that is suceptible to html injection because all fields are not correctly parsed to avoid this issue:

image

@naxonez naxonez changed the title HTML Injection in "import external calendar" HTML Injection not filtered correctly Dec 27, 2015
@rdoursenaud rdoursenaud added version develop Priority - High / Blocking This is a security hole or a bug that make a feature not possible to use or very expected feature. Security This is a bug identified as a security bug labels Jan 8, 2016
@rdoursenaud rdoursenaud self-assigned this Jan 8, 2016
@rdoursenaud
Copy link
Member

Well, except it is not saved (If you refresh the page, the field is empty). No big deal.
Will push a patch anyway since this shouldn't hit the page in the first place.
Thanks!

rdoursenaud added a commit to GPCsolutions/dolibarr that referenced this issue Jan 8, 2016
rdoursenaud added a commit to GPCsolutions/dolibarr that referenced this issue Jan 8, 2016
… data by default

This should mitigate most HTML injections allowing XSS.
rdoursenaud added a commit to GPCsolutions/dolibarr that referenced this issue Jan 8, 2016
… data by default

This should mitigate most HTML injections allowing XSS.
eldy added a commit that referenced this issue Jan 8, 2016
FIX #4291 Correctly filter external calendar GETPOSTs
rdoursenaud added a commit to GPCsolutions/dolibarr that referenced this issue Jan 11, 2016
eldy added a commit that referenced this issue Jan 12, 2016
FIX #4291 Correctly filter bank card GETPOSTs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Priority - High / Blocking This is a security hole or a bug that make a feature not possible to use or very expected feature. Security This is a bug identified as a security bug
Projects
None yet
Development

No branches or pull requests

2 participants