Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Description - There's no escape being done before printing out the value of Title in the Vocabulary page.
Title
croogo version - v3.0.5
Steps to reproduce -
Navigate to http://localhost/croogo/admin/taxonomy/vocabularies/add & add the below-shared payload as the values to the Title field.
Payload - <img src=xss onerror=alert(1)>
<img src=xss onerror=alert(1)>
Visit page http://localhost/croogo/admin/taxonomy/vocabularies, the payload will be triggered.
The text was updated successfully, but these errors were encountered:
This is likely related to this line in CroogoHtmlHelper.php: https://github.com/croogo/croogo/blob/master/Core/src/View/Helper/CroogoHtmlHelper.php#L227
Sorry, something went wrong.
Fix: XSS
cafaaab
Closes #886, #887, #888, #889, #890, #900
No branches or pull requests
Description -
There's no escape being done before printing out the value of
Titlein the Vocabulary page.croogo version - v3.0.5
Steps to reproduce -
Navigate to http://localhost/croogo/admin/taxonomy/vocabularies/add & add the below-shared payload as the values to the Title field.
Payload -
<img src=xss onerror=alert(1)>Visit page http://localhost/croogo/admin/taxonomy/vocabularies, the payload will be triggered.
The text was updated successfully, but these errors were encountered: