Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Escape category images to avoid backend XSS #639

Merged
merged 1 commit into from Sep 28, 2019
Merged

Conversation

@hannob
Copy link
Contributor

hannob commented Sep 17, 2019

It is possible to cause a backend XSS via the category icons.

PoC:

  1. Create a category with something like "> in the "Category Image" field.
  2. Start a blog post, select this category and click on Preview.

I'm aware that s9y isn't really protected against backend XSS due to the blogposts itself being not XSS safe, but still I think output should be properly escaped.

This is a fix within the templates, so naturally other templates won't automatically get that fix.

@onli onli merged commit fa8e77c into s9y:master Sep 28, 2019
onli added a commit that referenced this pull request Sep 28, 2019
@onli

This comment has been minimized.

Copy link
Member

onli commented Sep 28, 2019

Does this really need a backport currently, @th-h ?

@onli

This comment has been minimized.

Copy link
Member

onli commented Sep 28, 2019

And thank you, @hannob !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.