Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reflected XSS #1503

Closed
dmchell opened this issue Jun 28, 2017 · 3 comments

Comments

@dmchell
Copy link

commented Jun 28, 2017

We're using this framework internally within a flask app and a colleague noted a reflected XSS issue:

Example:
https://10.0.0.1/admin/user/edit/?url=%20javascript%3aalert(document.domain)&id=8

User interaction is required, when clicking the "List" link the javascript is executed.

@dmchell

This comment has been minimized.

@pawl

This comment has been minimized.

Copy link
Member

commented Jun 29, 2017

It looks like we're going to need a more robust version of is_safe_url.

It looks like django's handles it correctly:

>>> from django.utils.http import is_safe_url
>>> is_safe_url('/admin/car/')
True
>>> is_safe_url(' javascript:alert(document.domain)')
False

Their version of is_safe_url is pretty complex and I'm not sure which line is causing it to return false yet. Here's a link to the file it's in: https://github.com/django/django/blob/550cb3a365dee4edfdd1563224d5304de2a57fda/django/utils/http.py

@lbhsot

This comment was marked as off-topic.

Copy link
Contributor

commented Aug 27, 2018

any progress?

@mrjoes mrjoes closed this in #1505 Aug 27, 2018

lbhsot pushed a commit to lbhsot/flask-admin that referenced this issue Sep 4, 2018

lbhsot pushed a commit to lbhsot/flask-admin that referenced this issue Sep 4, 2018

lbhsot pushed a commit to lbhsot/flask-admin that referenced this issue Sep 4, 2018

lbhsot pushed a commit to lbhsot/flask-admin that referenced this issue Sep 4, 2018

lbhsot pushed a commit to lbhsot/flask-admin that referenced this issue Sep 5, 2018

marksteward added a commit to emfcamp/Website that referenced this issue Sep 9, 2018

Loosen jinja2 version constraint and pipenv update
* emfcamp/slotmachine@0357627 includes changes made for the event
* jinja2 2.10 includes various new features, including an `in` test
* flask-admin 1.5.2 fixes XSS flask-admin/flask-admin#1503
* geoalchemy2 0.5.0 add ST_Azimuth and pickle support
* attrs 18.2 includes various bug fixes
* hypothesis 3.71 includes swapping pickle for json
* locustio 0.9.0 no longer resets stats after hatching
* pytest 3.8.0 now uses `warnings`

lbhsot pushed a commit to lbhsot/flask-admin that referenced this issue Sep 11, 2018

mrjoes added a commit that referenced this issue Dec 20, 2018

Merge pull request #1699 from lbhsot/master
refs #1503 fix reflected xss
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.