New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsanitized input #3002
Comments
|
@PineappleSnackz Thank you for your reports, although it would've been nice to contact us about the XSS issue in private to limit the risk of someone exploiting it. @trang @Gillux I've pushed a branch that I'm pretty sure should fix the issue: d44456c but I can't test it right now, so maybe one of you can take a look. |
|
I do apologize; I realized that I probably should've sent an email a few seconds after submitting. |
|
The XSS fix is now live and seems to work. I'm leaving the unsanitized HTTP posts for later since they seem to be limited to inserting garbage data and I think they don't enable attacks on other users of the website. |
This fixes an XSS vulnerability. Refs #3002
|
The fix has been deployed so I'll close this issue. @PineappleSnackz, thanks again for reporting this :) And @Yorwba, thanks for the quick fix! |
|
@trang I only fixed the security-critical aspects of this. It's still possible to insert invalid values (e.g. check out Pineapple's profile on dev), just not in a way that allows attacking users via XSS (I hope). |
|
@Yorwba I see, my bad, I closed because I thought it was enough to just fix the security issue for the scope of this issue. Just my two cents regarding invalid values:
|
|
The issue with profile names has already been resolved, the only issue was that it rendered html code before. And while invalid data being entered isn't really a security issue, it is still an issue. It doesn't make sense that a sentence review with the value "100" is accepted by the server, when only -1 to 1 should be accepted, or that the language of a sentence can be set to "cats". |
Yes, totally agree. I actually had a bit of a different understanding of what you meant by "does not properly sanitize data input". I thought your expectation was that we clean up the inputs by escaping or encoding special characters, or by removing unwanted characters. But it looks like what you actually meant is what I would describe as lack of proper validation and lack of proper error handling as well. In which case it would be good to align on what is the expected behavior for each of the inputs that were listed.
|
|
Thanks for clearing it up! |
The profile name field on the website does not properly sanitize user input. For example, I was able to insert a picture as well as a JavaScript popup box into my profile name. This can allow for XSS attacks, which could lead to things such as sensitive information being stolen or the user's account being taken over.
The website also does not properly sanitize data input for the following fields: sentence reviews, sentence languages, profile languages, profile language levels, and birthday year. However, these issues are less severe since they appear to only allow for invalid data to be entered, and not malicious code execution. Inputting invalid data into these fields also requires the user to send an edited HTTP post request, which is less likely to happen than simply inputting data into the profile name field.
Steps To Reproduce:
Unsanitized name input
<script>alert("hello")</script>) and then save.Unsanitized HTTP posts
I am not a security expert or web developer, so my understanding of these issues and their potential risks may be inaccurate. There may be other input fields on the website that do not properly sanitize user input. This bug report only covers what I have found.
The text was updated successfully, but these errors were encountered: