Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
to your account
Hi, there is a reflected Cross-Site Scripting vulnerability via back parameter.
XSS payload is executed after clicking on the « Zpět button, example:
I will suggest using something like Bleach:
to prevent such issues in the future :)
The text was updated successfully, but these errors were encountered:
Thanks for pointing out, I will fix this ASAP.
Sorry, something went wrong.
I've added some additional checks in 1bd25d9 which I hope are sufficient, i.e. we only allow relative URLs to be passed in ?back. Can you please have a look?
Hey, it was a very minor issue, so thanks for the very quick response! Checking for the empty scheme is efficient in case of XSS here, but it still allows open redirect:
from urllib.parse import urlparse
url = '//google.com'
parsed = urlparse(url)
# ParseResult(scheme='', netloc='google.com', path='', params='', query='', fragment='')
So something like this will still work:
But at this point I think that it's not worth the effort to fix it.
OK, I'll add check that netloc is empty, too :) This should fix it completely. I will release that ASAP.
Fixed in fa84364.
Successfully merging a pull request may close this issue.