Skip to content

XSS vulnerability #4

Closed
Erreinion opened this Issue Aug 30, 2012 · 2 comments

2 participants

@Erreinion

by adding:
<script>document.location="http://google.com";</script>
I can reliably redirect WorkFlowy when exporting or drilling down into the note.

There is no issue if the code is surrounded by `` or when the extension is disabled.

@medovob
Owner
medovob commented Sep 3, 2012

Thanks. I think its been assumed that all notes will come from a trusted source but given the ability to share and publish lists, this can't be assured. Have you any suggestions to remove this vulnerability?

Perhaps a sanitizer like Caja?

@Erreinion

There are a few libraries that you can use.

OWASP ESAPI (https://www.owasp.org/index.php/ESAPI)

Check out OWASP's "XSS CheatSheet" for more tips and approaches: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

@medovob medovob closed this in bdeaf41 Sep 4, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.