Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Background storage XSS #27

Closed
wind226 opened this issue Nov 19, 2019 · 5 comments
Closed

Background storage XSS #27

wind226 opened this issue Nov 19, 2019 · 5 comments

Comments

@wind226
Copy link

wind226 commented Nov 19, 2019

Background storage XSS
step1:
https://cms.publiccms.com/case.html Submit case
image
step2:
Administrator review submit case trigger xss
image
Click to trigger xss
image

@sanluan
Copy link
Owner

sanluan commented Nov 21, 2019

抱歉 这个问题暂时没办法避免 文章正文必须是富文本的
下个版本将会把投稿内容和普通内容区分开 审核前 取消投稿的预览

@wind226
Copy link
Author

wind226 commented Nov 21, 2019

抱歉,这个问题暂时没办法避免文章正文必须是富文本的
下个版本将会把投稿内容和普通内容区分开审核前取消投稿的预览

你可以过滤敏感字符,或者转义双引号,单引号,尖括号就能避免xss

@sanluan
Copy link
Owner

sanluan commented Nov 21, 2019

刚才提交了代码 目前的解决方法是标识投稿文章,对于未审核的投稿文章 默认做安全转义

@wind226
Copy link
Author

wind226 commented Nov 21, 2019

先前提交了代码目前的解决方法是标识投稿文章,对于未审核的投稿文章默认做安全转义
做安全转义这个办法是可以

@sanluan
Copy link
Owner

sanluan commented Nov 21, 2019

非常感谢发现的这个bug

@sanluan sanluan closed this as completed Dec 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants