Security Fix for Stored Cross-site Scripting (XSS) - huntr.dev #694
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
https://huntr.dev/users/alromh87 has fixed the Stored Cross-site Scripting (XSS) vulnerability🔨 . alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵 . Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/pip/cabot/1/README.md
User Comments:
Bounty URL: https://www.huntr.dev/bounties/1-pypi-cabot/
Executed Persistent stored XSS in cabot check settings, as well as the address field.
Fixed by using builtin django autoescape and URLValidator
Altough Django has inbuilt protection agains XSS it was disabled for the test result.error by using
{% autoescape off %}, just to be sure I wasn't breaking any needed functionality I inspected history to depict the porpouse of this changeOfending line was introduced in 558f18c#diff-480f9da2f76d81e98bfb4c99316b90c6R52
For allowing embeding links in the response
558f18c#diff-9ff30487dc763b21d6a7742d19eb2268R442
Function was removed a few commits later making the use of
{% autoescape off %}unnecesaryAs an extra I added URLValidator in the Http test model
<script>alert('Hi')</script>Proof of Fix (PoF) *
After fix No code is executed for remote user
Fix will also handle previously stored offending endpoints with XSS
After fix functionality is unafected