XSS attack <script>console.warm('pwned')</script> #21

Closed
marcoscaceres opened this Issue Nov 13, 2012 · 8 comments

Comments

Projects
None yet
2 participants
@marcoscaceres
Member

marcoscaceres commented Nov 13, 2012

Because we were not sanitizing the titles of Github bugs, we left ourselves open to a XSS attack. @marcoscaceres tried to fix this with:

htmlspecialchars($var, ENT_QUOTES, 'UTF-8').

But he is no PHP security expert.

@marcoscaceres

This comment has been minimized.

Show comment
Hide comment
@marcoscaceres

marcoscaceres Nov 13, 2012

Member

Need to fix this ASAP

Member

marcoscaceres commented Nov 13, 2012

Need to fix this ASAP

@marcoscaceres

This comment has been minimized.

Show comment
Hide comment
@marcoscaceres

marcoscaceres Nov 13, 2012

Member

Ok, I think I fixed it with: htmlspecialchars($var, ENT_QUOTES, 'UTF-8').

However, need security review.

Member

marcoscaceres commented Nov 13, 2012

Ok, I think I fixed it with: htmlspecialchars($var, ENT_QUOTES, 'UTF-8').

However, need security review.

@marcoscaceres

This comment has been minimized.

Show comment
Hide comment
@marcoscaceres

marcoscaceres Nov 13, 2012

Member

testing again

Member

marcoscaceres commented Nov 13, 2012

testing again

@marcoscaceres

This comment has been minimized.

Show comment
Hide comment
@marcoscaceres

marcoscaceres Nov 13, 2012

Member

Seems ok now, but would really like a proper review. Maybe @attiks can do it or knows someone? The file in question is: https://github.com/ResponsiveImagesCG/responsiveimages.org/blob/master/issues.php#L86 (print_issues() function)

Member

marcoscaceres commented Nov 13, 2012

Seems ok now, but would really like a proper review. Maybe @attiks can do it or knows someone? The file in question is: https://github.com/ResponsiveImagesCG/responsiveimages.org/blob/master/issues.php#L86 (print_issues() function)

@attiks

This comment has been minimized.

Show comment
Hide comment
@attiks

attiks Nov 13, 2012

Member

did you push the latest changes?

Member

attiks commented Nov 13, 2012

did you push the latest changes?

@marcoscaceres

This comment has been minimized.

Show comment
Hide comment
@marcoscaceres

marcoscaceres Nov 13, 2012

Member

ah, my bad. I did not. I only pushed to the website... pushing now.

Member

marcoscaceres commented Nov 13, 2012

ah, my bad. I did not. I only pushed to the website... pushing now.

@marcoscaceres

This comment has been minimized.

Show comment
Hide comment
@attiks

This comment has been minimized.

Show comment
Hide comment
@attiks

attiks Nov 13, 2012

Member

That should do it.

Member

attiks commented Nov 13, 2012

That should do it.

@attiks attiks closed this Nov 13, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment