Multiple reflected XSS #7133
Labels
bug
the issue is regarding one of our programs which faces problems when a certain task is executed
Comments
tsparksh
added
the
bug
|
This issue may be helpful #3549 |
|
This is a great catch! Would you be able to suggest a fix based on #3549?
Or to open a PR?
…On Tue, Jan 7, 2020 at 5:39 AM Sparks ***@***.***> wrote:
This issue may be helpful #3549
<#3549>
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#7133?email_source=notifications&email_token=AAAF6J7J6JPCPFCEB5RTOMLQ4RLXJA5CNFSM4KDWYTFKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIIOMEA#issuecomment-571532816>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAF6JZF26HOY2CEP3UCSMDQ4RLXJANCNFSM4KDWYTFA>
.
|
|
We can use built-in Rails sanitizers for this. |
|
Here, each template with the above vulnerabilities could be resolved by replacing: <%= params[:potentially_unsafe_user_generated_content]%>with <%=h params[:potentially_unsafe_user_generated_content]%>Yeah! |
|
I think i got them all and made FTOs from them. 5 and 6 should be tested one more time on stable.publiclab.org once they merge! |
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please describe the problem (or idea)
While taking the input for the comment, filtering of input does not happen so that XSS script is executed.
Payload I've used:
<img src=x onerror=prompt('xss')>Please show us where to look
Please have a look at this link for more information on XSS.
Filter the input containing Script tags like <,>-,% and all other payload inputs
Thank you!
Your help makes Public Lab better! We deeply appreciate your helping refine and improve this site.
To learn how to write really great issues, which increases the chances they'll be resolved, see:
https://publiclab.org/wiki/developers#Contributing+for+non-coders
The text was updated successfully, but these errors were encountered: