You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Drag Dashboard Text Node and inject node into the Node-red workspace . Click on Edit text node and add value format value as {{constructor.constructor('alert(document.cookie)')()}}.
What happens?
Malicious script code can be injected permanently into the Node-red. Using injected code, an
user could, for example, steal Node Red identifiers of any other sensitive information.
What do you expect to happen?
when Data in JavaScript format is injected to text node output must be converted to string .
Please tell us about your environment:
[ x] Node-RED-Dashboard version: 3.1.2
[ x] Node-RED version: 2.1.4
[ x] node.js version: 14.18.2
npm version:
Platform/OS: docker
[ x ] Browser: Chrome
The text was updated successfully, but these errors were encountered:
What are the steps to reproduce?
Drag Dashboard Text Node and inject node into the Node-red workspace . Click on Edit text node and add value format value as {{constructor.constructor('alert(document.cookie)')()}}.
What happens?
Malicious script code can be injected permanently into the Node-red. Using injected code, an
user could, for example, steal Node Red identifiers of any other sensitive information.
What do you expect to happen?
when Data in JavaScript format is injected to text node output must be converted to string .
Please tell us about your environment:
The text was updated successfully, but these errors were encountered: