Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

company values are not sanitized and leads to arbitrary code injection #543

Closed
mbo-s opened this issue Apr 26, 2019 · 0 comments · Fixed by #569
Closed

company values are not sanitized and leads to arbitrary code injection #543

mbo-s opened this issue Apr 26, 2019 · 0 comments · Fixed by #569
Assignees
@TiSiE
Labels
bug confirmed critical

Comments

@mbo-s
Copy link

mbo-s commented Apr 26, 2019

similar to #514 if you create/edit a company and change either the name or some of the other fields you can insert HTML that will be displayed on the site.
Insert e.g. <h1>Street</h1><script>alert('XSS');</script>

Sample Page
https://yawik.org/demo/en/organizations/profile/5c9a4b9e0acec32a46342ff6?clear=1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TiSiE TiSiE

Labels
bug confirmed critical
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Prevent xss attachs in edit organization forms TiSiE/YAWIK
2 participants
@TiSiE @mbo-s