Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS Protection #188

Closed
yonjah opened this issue May 17, 2017 · 3 comments
Closed

XSS Protection #188

yonjah opened this issue May 17, 2017 · 3 comments

Comments

@yonjah
Copy link

yonjah commented May 17, 2017

It seem like it is possible to inject code into commits -
https://mavo.io/demos/homepage/?lite=&homepage-storage=https%3A%2F%2Fgithub.com%2Fyonjah%2Fdata-1%2Fhomepage.json

Since you don't need any approval to send link to the preview page this means stored xss can be achieved without a major issue.
Even if the preview will only be available to owners this is still a major issue since if we assume most owners will not have basic programming skills and wont be able to manually review the commit going into the preview page with injected code will allow taking over the owner account

I know this project is still very young but it is probably something you'll want to address sooner than later.
@LeaVerou
Copy link
Member

Ouch, thanks! This is only present on TinyMCE areas, right?

@LeaVerou
Copy link
Member

Yup, after some digging around, it looks like it's a vulnerability of the TinyMCE plugin, and should be fixed there. Moving it there!

@LeaVerou LeaVerou mentioned this issue May 17, 2017
Closed
@LeaVerou
Copy link
Member

This issue was moved to mavoweb/plugins#7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LeaVerou @yonjah