XSS on admin login page #639

eikes opened this Issue Aug 22, 2011 · 1 comment


None yet
2 participants

eikes commented Aug 22, 2011

The :email and :password variables are not escaped in the Admin controller. Also GET vars can be used where only POST should be used.

possibly adding

  params[:email] = escape_html(params[:email])
  params[:password] = escape_html(params[:password])


  flash[:warning] = "Login or password wrong."

might help, but I haven't tried it.

Example for this XSS (view in Firefox or Opera or IE, Webkit filters this kind of XSS):



This comment has been minimized.

Show comment
Hide comment

DAddYE Aug 23, 2011


Thanks man, will be applied soon!


DAddYE commented Aug 23, 2011

Thanks man, will be applied soon!

@DAddYE DAddYE closed this in 9f4c315 Aug 30, 2011

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment