XSS Issue

[MSylvia]

Any code in the content field get evaluated.

[  
   "line",
   {  
      "timestamp":0000000000000,
      "streamid":"rtail.org",
      "host":"XXX.XXX.XXX.XXX",
      "port":50049,
      "content":"<script>window.top.location.href=\"http://www.google.com\"</script>",
      "type":"string"
   }
]

This would redirect the user to http://www.google.com

[MSylvia]

Also see Issue #61.

[kilianc]

I think I fixed this in: #58

[kilianc]

@MSylvia thanks for reporting this first of all, I created a stream called "XSS no more" that should prove the fix works but since you're here, two more eyes would not hurt.

[MSylvia]

Ah I see that now. At the time I wrote it the current version of rtail.org had this issue. The fix might not have been deployed.

[kilianc]

@MSylvia yes, the demo is using a s3 bucket cached in ram for many hours. But someone has been faster than me tonight. I had to restart the demo and everything is working now. Along with other fixes and features like ellipsis for long names in the sidebar and resizable sidebar!

Shall we close this?

[MSylvia]

Yes. Seems to be resolved. :)