-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue - XSS through Octotree #299
Comments
|
Which browser is this? I accessed the linked repo on Chrome, didn't see the popup. |
|
Thanks, xss protection indeed. Already fixed and released, should be in stores soon. |
|
Nice! Thank you! |
|
Nice find 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment

Hi!
There's a security flaw that compromises user data when using Octotree + GitHub.
The failure happens when you define a branch name that contains script - e.g.
<script>alert('xss')</script>, define it as the default branch of the repo and navigate to an URL that doesn't contain the tree combobox (Issues, Pull Requests, Wiki, Stargazers, etc).This repo has a harmless example: https://github.com/brunocvcunha/-script-alert-xaxa-script-/wiki

Best Regards,
Bruno Candido Volpato da Cunha
The text was updated successfully, but these errors were encountered: