Skip to content

XSS attack <script>console.warm('pwned')</script> #21

Closed
marcoscaceres opened this Issue Nov 13, 2012 · 8 comments

2 participants

@marcoscaceres
Responsive Issues Community Group member

Because we were not sanitizing the titles of Github bugs, we left ourselves open to a XSS attack. @marcoscaceres tried to fix this with:

htmlspecialchars($var, ENT_QUOTES, 'UTF-8').

But he is no PHP security expert.

@marcoscaceres marcoscaceres reopened this Nov 13, 2012
@marcoscaceres
Responsive Issues Community Group member

Need to fix this ASAP

@marcoscaceres
Responsive Issues Community Group member

Ok, I think I fixed it with: htmlspecialchars($var, ENT_QUOTES, 'UTF-8').

However, need security review.

@marcoscaceres
Responsive Issues Community Group member

testing again

@marcoscaceres
Responsive Issues Community Group member

Seems ok now, but would really like a proper review. Maybe @attiks can do it or knows someone? The file in question is: https://github.com/ResponsiveImagesCG/responsiveimages.org/blob/master/issues.php#L86 (print_issues() function)

@attiks
Responsive Issues Community Group member
attiks commented Nov 13, 2012

did you push the latest changes?

@marcoscaceres
Responsive Issues Community Group member

ah, my bad. I did not. I only pushed to the website... pushing now.

@marcoscaceres
Responsive Issues Community Group member
@attiks
Responsive Issues Community Group member
attiks commented Nov 13, 2012

That should do it.

@attiks attiks closed this Nov 13, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.