Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS via filenames #9

Closed
gregose opened this issue May 13, 2014 · 2 comments
Closed

XSS via filenames #9

gregose opened this issue May 13, 2014 · 2 comments
Milestone

Comments

@gregose
Copy link

gregose commented May 13, 2014

Filenames are added to jsTree without sanitization. jsTree will render HTML passed as a tree node's text. This can lead to cross-site scripting and potentially compromise GitHub tokens stored in local storage and access GitHub sessions.

@gregose gregose changed the title XSS in via filenames XSS via filenames May 13, 2014
@buunguyen
Copy link
Collaborator

@gregose thanks for bringing this into attention. Is there any chance GitHub API already sanitizes file and folder names?

@gregose
Copy link
Author

gregose commented May 14, 2014

@buunguyen no, it does not. It would be nice if jsTree had an option to not render HTML, but I'm not sure it does.

@buunguyen buunguyen added the bug label May 19, 2014
@buunguyen buunguyen added this to the 1.1 milestone May 19, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants