External URL to track applications is not properly sanitized and leads to arbitrary code injection #514

mbo-s · 2018-11-13T20:30:42Z

It is possible to inject HTML/Javascript-Code like IFrames into a job offer.

Steps to reproduce:

Create a new job https://yawik.org/demo/en/jobs/edit
Under "Create job opening" in the menu "Track applications" change Mode to "use external link" and fill in e.g. javascript:alert('xss');"><script>alert('xss');</script><iframe src="https://www.yawik.org"><rel="
save

You will get to Javascript Messages "XSS" one from the preview and one from the "Track applications"-Menu.
The Iframe will be injected, too.

The text was updated successfully, but these errors were encountered:

cbleek · 2018-11-13T20:35:09Z

yes, this field should be filtered

let's ask @sergey-galenko , if he can fix this.

sergey-galenko · 2018-11-15T00:11:32Z

I'll take a look on it

issue #514

sergey-galenko added a commit to sergey-galenko/YAWIK that referenced this issue Nov 15, 2018

issue cross-solution#514

7ddd78c

sergey-galenko added a commit to sergey-galenko/YAWIK that referenced this issue Nov 15, 2018

issue cross-solution#514

240e656

cbleek added a commit that referenced this issue Nov 15, 2018

Merge pull request #517 from sergey-galenko/develop

3cb9843

issue #514

TiSiE closed this as completed Nov 15, 2018

mbo-s mentioned this issue Nov 15, 2018

link and applyLink are not filtered correctly yawik/SimpleImport#18

Open

mbo-s mentioned this issue Apr 26, 2019

company values are not sanitized and leads to arbitrary code injection #543

Closed

mbo-s mentioned this issue Oct 8, 2019

InputFilter in AtsMode Form does not seem to work #553

Closed

Provide feedback