Stored Cross-site scripting (XSS) in product page #7727
Labels
Issue Stale (automatic label)
This issue is stale because it has been open 1 year with no activity. Remove this label to keep open
Bug
Stored Cross-site scripting (XSS) using product page, bypassing XSS detection
Environment
product/card.php?id=1929&mainmenu=home
Expected and actual behavior
Expected behaviour
XSS detector picks up on the payload and refuses to save it
Actual behaviour
XSS payload is saved with no interference from the detector. When visiting the page later, the payload executes.
Steps to reproduce the behavior
<iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
Suggested implementation
Change the detector to now pick up on similar payloads (including this one)
The text was updated successfully, but these errors were encountered: