-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Harden invidio.us #1022
Comments
#1023 adopts a good Content Security Policy. |
Could you please provide a working link to a PoC? The provided link https://invidio.us/search?q=</tiTLe><a%0aONMousEOvER%0d=%0d[8].find(confirm)//v3dm0s appears to be escaped properly. |
can you try this:
https://invidio.us/search?q=</tItle><a/+/onmOusEOVER+=+confim()%0dx//v3dm0s
using
Omar Roth:
… Could you please provide a working link to a PoC? The provided link [https://invidio.us/search?q=</tiTLe><a%0aONMousEOvER%0d=%0d[8].find(confirm)//v3dm0s](https://invidio.us/search?q=</tiTLe><a%0aONMousEOvER%0d=%0d[8].find(confirm)//v3dm0s) appears to be escaped properly.
|
Just as a reminder: #1023 is ready to be merged which prevents this and all future kinds of XSS. |
So attacks such as XSS (see [0]) will no longer be of an issue. [0]: iv-org#1022
So attacks such as XSS (see [0]) will no longer be of an issue. [0]: #1022
having
after the commit, video thumbnail won't load, and doing anything else gets stuck |
@tleydxdy works just fine on my end. Please check if https://invidious.snopyta.org/ (runs on the most recent commit) produces the same issue. |
same error
|
invidio.us needs some security auditing, this is XSS vulnerability reported using XSStrike scanner:
This is a report of surface scanning invidio.us using zaproxy scanner:
https://anonfile.com/52VaX1W8nd/invidious_html
The text was updated successfully, but these errors were encountered: