Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User can inject JavaScript code into the text node which can cause security issues( Cross-Site Scripting) #772

Closed
1 of 2 tasks
GowriAradhya opened this issue Aug 5, 2022 · 0 comments
Closed
1 of 2 tasks

User can inject JavaScript code into the text node which can cause security issues( Cross-Site Scripting) #772

GowriAradhya opened this issue Aug 5, 2022 · 0 comments

Comments

@GowriAradhya
Copy link

What are the steps to reproduce?

Drag Dashboard Text Node and inject node into the Node-red workspace . Click on Edit text node and add value format value as {{constructor.constructor('alert(document.cookie)')()}}.

What happens?

Malicious script code can be injected permanently into the Node-red. Using injected code, an
user could, for example, steal Node Red identifiers of any other sensitive information.

What do you expect to happen?

when Data in JavaScript format is injected to text node output must be converted to string .

Please tell us about your environment:

  • [ x] Node-RED-Dashboard version: 3.1.2
  • [ x] Node-RED version: 2.1.4
  • [ x] node.js version: 14.18.2
  • npm version:
  • Platform/OS: docker
  • [ x ] Browser: Chrome
@dceejay dceejay closed this as completed in 9305d1a Sep 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GowriAradhya