XSS on admin login page #639

eikes opened this Issue Aug 22, 2011 · 1 comment


None yet

2 participants


The :email and :password variables are not escaped in the Admin controller. Also GET vars can be used where only POST should be used.

possibly adding

  params[:email] = escape_html(params[:email])
  params[:password] = escape_html(params[:password])


  flash[:warning] = "Login or password wrong."

might help, but I haven't tried it.

Example for this XSS (view in Firefox or Opera or IE, Webkit filters this kind of XSS):


Padrino Framework member

Thanks man, will be applied soon!

@DAddYE DAddYE added a commit that closed this issue Aug 30, 2011
@DAddYE DAddYE Fix #639 9f4c315
@DAddYE DAddYE closed this in 9f4c315 Aug 30, 2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment