Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Tags_Resource_V2.postman_collection.json #27052

Closed
wants to merge 5 commits into from
Closed

Update Tags_Resource_V2.postman_collection.json #27052

wants to merge 5 commits into from

Conversation

rashik1144
Copy link
Contributor

@rashik1144 rashik1144 commented Dec 19, 2023
edited
Loading

Added the following postman test:

  • XSS injection test in the 'save-tags' API
image

@dotcms-sonarqube dotCMS-sonarqube
Copy link

Quality Gate passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No Coverage information No data about Coverage
No Duplication information No data about Duplication

See analysis details on SonarQube

@rashik1144 rashik1144 mentioned this pull request Dec 19, 2023
Open
@rashik1144
Copy link
Contributor Author

@bryanboza The status code is still 200 when XSS is present. We may need to solve this as this shouldn't be functionally correct. Tag is not admin only feature.

This was linked to issues Jan 7, 2024
Tags_Resource_V2.postman_collection.json #27206
Closed
Tags_Resource_V2.postman_collection.json #27259
Closed
@mbiuki
Copy link
Contributor

mbiuki commented Jan 23, 2024

@bryanboza - is this ready to merge?

nollymar
nollymar requested changes Jan 31, 2024
View reviewed changes
Copy link
Contributor

@nollymar nollymar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please fix the broken test

@mbiuki
Copy link
Contributor

mbiuki commented Feb 5, 2024

@rashik1144 - can you please address the comment?

@rashik1144
Copy link
Contributor Author

rashik1144 commented Feb 5, 2024
edited
Loading

@mbiuki @nollymar This is actually an issue. It is giving 200 error even when there is XSS attack. Tag is not an admin only feature. We must first restrict the XSS characters in tag to make this test pass. Tag do not have regex option like in others:
image

@mbiuki
Copy link
Contributor

mbiuki commented Mar 20, 2024

We are not going to fix XSS issues of the same nature. Please close this pull request.

@mbiuki mbiuki closed this Mar 20, 2024
@dotcms-sonarqube dotCMS-sonarqube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nollymar nollymar nollymar requested changes

@jdotcms jdotcms jdotcms approved these changes

@AndreyDotcms AndreyDotcms AndreyDotcms approved these changes

@fabrizzio-dotCMS fabrizzio-dotCMS Awaiting requested review from fabrizzio-dotCMS

@bryanboza bryanboza Awaiting requested review from bryanboza

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Tags_Resource_V2.postman_collection.json Tags_Resource_V2.postman_collection.json
5 participants
@rashik1144 @mbiuki @nollymar @jdotcms @AndreyDotcms