Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored Cross-site Scripting (XSS) #847

Closed
prodigysml opened this issue Oct 28, 2017 · 1 comment
Closed

Stored Cross-site Scripting (XSS) #847

prodigysml opened this issue Oct 28, 2017 · 1 comment
Labels
Milestone

Comments

@prodigysml
Copy link

Summary

Stored Cross-site Scripting (XSS) in page name allowing a user to get arbitrary JS execution. This isn't really a big issue as the website already has all session tokens using HTTPOnly, and you need to be an administrator (if using as the default) to post. It is quite reasonable for organisations to make other roles for contributors/authors, hence being worth the patch. I'm not too sure if this is still an issue in v3, as I couldn't get the server set up for it yet.

System information

Croogo version: v2.3.1-17-g6f82e6c
Web server: apache2
OS/Version: Ubuntu 16.04

Steps to reproduce

  1. Log into the website
  2. Create a new page
  3. Set the page's name to <img src=x onerror=alert(1)>
  4. Visit the page list section of the admin panel and observe an alert box pop up.

Expected behavior

<img src=x onerror=alert(1)> is HTML Encoded

Actual behavior

JS code is arbitrarily executed

@rchavik rchavik added the Defect label Nov 3, 2017
@rchavik rchavik added this to the 2.3.1 milestone Dec 6, 2017
@rchavik
Copy link
Member

rchavik commented Oct 10, 2019

Fixed in 4.x

@rchavik rchavik closed this as completed Oct 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants