Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Cross site scripting issue in OSQA about page #516
I have installed OSQA successfully in my organisation. While doing the security check we found the XSS issue in the OSQA about page. For example we have tried the below entry in the OSQA About page using administration screen. Can someone please suggest any fix for XSS issue?
@anuvarman This is only an XSS vulnerability if hackers can log in as administrators. That page is driven by https://github.com/dzone/osqa/blob/master/forum/urls.py#L42 and is populated directly from the database based on whatever the admin users put into that field. You should definitely not grant any admin access to users who you do not trust to NOT inject XSS into that field, or any other field (or view user data, for that matter because any admin user can do that).
Basically, don't worry, and make sure you limit admin access to people you trust.
IMHO, this should be a