后台添加文章XSS,上传头像处可以上传任意文件 #336
Labels
kind/support
Categorizes issue or PR as a support question.
triage/unresolved
Indicates an issue that can not or will not be resolved.
vulnerability
Vulnerability
我确定我已经查看了 (标注
[ ]为[x])我要申请 (标注
[ ]为[x])在后台添加博客文章时,代码中没有对插入的内容进行过滤和限制,可以插入XSS语句,前台用户访问便可以触发XSS,存在安全风险。
在后台上传头像时,抓取上传文件的数据包,修改文件后缀,后端代码(halo/blob/master/src/main/java/run/halo/app/service/impl/AttachmentServiceImpl.java)没有限制,可以上传任意后缀的文件,导致存在安全风险。
The text was updated successfully, but these errors were encountered: