New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS possible through GFM-rendered fields #3471
Comments
|
This is known and expected behavior. There was some discussion a while back (though I can't find a GitHub issue for it) where we decided to allow raw HTML in comment fields. The logic was that since only authenticated users are permitted to post content, the risk would be acceptable for most use cases. I don't have a strong opinion on this either way: We can leave it as-is, or we can disable HTML entirely and leave only GitHub-flavored Markdown (GFM) rendering. What I don't want to do is start maintaining a whitelist/blacklist of HTML tags that should or should not be permitted. That's a lot of overhead and frankly overkill given the type of content intended to be stored in these fields. |
|
it is not clear to me why html component must be inserted in a comment function. An xss stored can lead to a privilege escalation, therefore the possibility to access administrative functions. |
|
And yet, other users might need it. I'm not going to remove a piece of functionality from the application without some discussion. Hence the "gathering feedback" tag. |
|
What about creating a new permission that allows users to use html or not (only markdown or whatever)? |
Netbox is vulnerable to stored XSS due to lack of filtration of user-supplied [Autenticated User]
Environment
Parameter:
name="comments" [ works on all pages where the parameter is present ]
PoC
a cve will be requested
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
The text was updated successfully, but these errors were encountered: