Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
[FIX] Not escaping special chars on mentions #10793
One of the XSS is happening when the "Use Real Name" setting is enabled. You can change your display name to this for example:
I have no instance to test this but I think it should work.
@erhan- much appreciated for your fix.. we're working to fix our harcker one issues.
I have tested this and it's not working since
escapeHTML is from
underscore.string and not
underscore.. do you mind giving me write access to your fork so I can commit the fix and some tests I have written already? thx
May 17, 2018
added a commit
this pull request
May 18, 2018
Why is there no security notice about the vulnerability in the blog post?
It looks like the developers are trying to hide the fact that there was a security vulnerability. This is not acceptable and hurts the principle of responsible disclosure.
We do not disclose security fixes as soon we have them fixed to prevent bad guys to exploit them.
We are currently working on our discloser polices document for security fixes and we will share it here as soon we have it finished.
Let me know if you want to contribute with ideas to our document, if you do please contact me at https://open.rocket.chat/direct/rodrigo.nascimento
That's a good approach. But not disclosing at all is a total no go and the reason why I don't use RC anymore. Anyone who tracks the issues was able to see this vulnerability. The normal enduser not.
Following CVE was assigned: CVE-2018-13878