Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible to crash a wiki by placing JS in the Site Title #2315

Closed
someguynamedmatt opened this issue Aug 20, 2020 · 1 comment
Closed

Possible to crash a wiki by placing JS in the Site Title #2315

someguynamedmatt opened this issue Aug 20, 2020 · 1 comment
Assignees
@NGPixel

Comments

@someguynamedmatt
Copy link

someguynamedmatt commented Aug 20, 2020
edited

Describe the bug
An administrator can put incorrect input into the Site Title and create an irrecoverable crash in the wiki. Don't do this unless you have an easy way of getting into the source. This will make the wiki inoperable.

To Reproduce
Steps to reproduce the behavior:

  1. Go to a Wiki's Dashboard
  2. Click on General
  3. Put some arbitrary HTML/JS as the Site Title value, e.g. "<script>console.log('hi')</script>" (quotes for emphasis, don't use)
  4. Save the page
  5. Refresh the page
  6. See error on the page and in the console (see screenshots, below)

Expected behavior
Input should be sanitized

Screenshots
(any page on the wiki renders as...)
Screen Shot 2020-08-20 at 14 41 43

Screen Shot 2020-08-20 at 14 44 41
@NGPixel
Copy link
Member

NGPixel commented Aug 23, 2020

Not sure why you would do that in the first place, but fixed by 8c205b6

@NGPixel NGPixel closed this as completed Aug 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NGPixel NGPixel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NGPixel @someguynamedmatt