This repository has been archived by the owner. It is now read-only.

Minor text injection vulnerability #2978

Closed
benhc123 opened this Issue Dec 2, 2014 · 12 comments

Comments

Projects
None yet
4 participants
@benhc123
Contributor

benhc123 commented Dec 2, 2014

@techtonik

This comment has been minimized.

Contributor

techtonik commented Dec 2, 2014

So, how to exploit that? Can you inject JavaScript or links there?

@benhc123

This comment has been minimized.

Contributor

benhc123 commented Dec 2, 2014

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Dec 2, 2014

So the fix is to validate the elsewhere username on the failure page?

@benhc123

This comment has been minimized.

Contributor

benhc123 commented Dec 2, 2014

Yup :).
I can understand if that's quite a lot of work for such a simple problem.
I just noticed that there wasn't any verification going on.

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Dec 2, 2014

IRC

@colindean

This comment has been minimized.

Contributor

colindean commented Dec 3, 2014

@colindean

This comment has been minimized.

Contributor

colindean commented Dec 3, 2014

Facebook is 50, according to a StackOverflow question answer.

@colindean

This comment has been minimized.

Contributor

colindean commented Dec 3, 2014

Limiting by size isn't probably the right way to go, though. We do know that they have to work in URLs, so one check could bounce if the input contains characters invalid in URLs.

In practice, I think all the elsewhere sites handles are Latin characters without diacritics.

It would still be better to check validity with the platform in question.

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Dec 3, 2014

Limiting by size isn't probably the right way to go, though.

FTR, @colindean was responding to some live-coding I was doing. PR forthcoming ...

@techtonik

This comment has been minimized.

Contributor

techtonik commented Dec 3, 2014

How does this non-proper name injection exploit works anyway?

@benhc123

This comment has been minimized.

Contributor

benhc123 commented Dec 3, 2014

Fixed. Thanks @whit537.

@benhc123 benhc123 closed this Dec 3, 2014

@benhc123 benhc123 reopened this Dec 3, 2014

chadwhitacre added a commit that referenced this issue Dec 3, 2014

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Dec 3, 2014

@benhc123 Best not to close until we confirm the fix in production.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.