Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ChatPrototype activity does not sanitize input #225

Closed
ericyoondotcom opened this issue Nov 1, 2018 · 2 comments
Closed

ChatPrototype activity does not sanitize input #225

ericyoondotcom opened this issue Nov 1, 2018 · 2 comments
Labels
bug
Milestone
v1.1

Comments

@ericyoondotcom
Copy link
Contributor

The ChatPrototype activity is susceptible to arbitrary script injection, and by extension, XSS.
Animated GIF of demonstration

To fix this, either sanitize all HTML tags, or select for certain "whitelisted" tags.
@llaske llaske added the bug label Nov 2, 2018
@FreddieN FreddieN mentioned this issue Nov 7, 2018
Merged
@llaske
Copy link
Owner

llaske commented Nov 8, 2018

Fixed in #231

@llaske llaske added this to the v1.1 milestone Nov 8, 2018
@llaske
Copy link
Owner

llaske commented Nov 17, 2018

Please leave this issue open until it's officially integrated into the release.

@llaske llaske reopened this Nov 17, 2018
@llaske llaske closed this as completed Jan 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
v1.1
Development

No branches or pull requests
2 participants
@llaske @ericyoondotcom