XSS vulnerability #4

Closed
Erreinion opened this Issue Aug 30, 2012 · 2 comments

Comments

Projects
None yet
2 participants
@Erreinion

by adding:
<script>document.location="http://google.com";</script>
I can reliably redirect WorkFlowy when exporting or drilling down into the note.

There is no issue if the code is surrounded by `` or when the extension is disabled.

@medovob

This comment has been minimized.

Show comment
Hide comment
@medovob

medovob Sep 3, 2012

Owner

Thanks. I think its been assumed that all notes will come from a trusted source but given the ability to share and publish lists, this can't be assured. Have you any suggestions to remove this vulnerability?

Perhaps a sanitizer like Caja?

Owner

medovob commented Sep 3, 2012

Thanks. I think its been assumed that all notes will come from a trusted source but given the ability to share and publish lists, this can't be assured. Have you any suggestions to remove this vulnerability?

Perhaps a sanitizer like Caja?

@Erreinion

This comment has been minimized.

Show comment
Hide comment
@Erreinion

Erreinion Sep 4, 2012

There are a few libraries that you can use.

OWASP ESAPI (https://www.owasp.org/index.php/ESAPI)

Check out OWASP's "XSS CheatSheet" for more tips and approaches: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

There are a few libraries that you can use.

OWASP ESAPI (https://www.owasp.org/index.php/ESAPI)

Check out OWASP's "XSS CheatSheet" for more tips and approaches: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

@medovob medovob closed this in bdeaf41 Sep 4, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment