Dumb XSS hole #2

simonw · 2021-08-09T01:53:22Z

select 'select ''<script>alert(/ohno/)</script>'''

https://latest-with-plugins.datasette.io/fixtures?sql=select+%27select+%27%27%3Cscript%3Ealert%28%2Fohno%2F%29%3C%2Fscript%3E%27%27%27

Due to this code:

datasette-query-links/datasette_query_links/__init__.py

Line 36 in 060d385

return markupsafe.Markup('<a href="{}">{}</a>'.format(path, value))

The text was updated successfully, but these errors were encountered:

Refs #1, #2

Fix for security issue in simonw/datasette-query-links#2

simonw · 2021-08-09T02:07:23Z

Fix is now deployed: https://latest-with-plugins.datasette.io/fixtures?sql=select+%27select+%27%27%3Cscript%3Ealert%28%2Fohno%2F%29%3C%2Fscript%3E%27%27%27

simonw · 2021-08-09T02:08:03Z

I'm going to delete the 0.1 release from PyPI just to make absolutely sure no-one ever installs it by accident.

simonw · 2021-08-09T02:10:21Z

I chose to "delete" rather than "yank" because I'm confident no-one has pinned to version 0.1 of this library anywhere. https://blog.piwheels.org/new-features-deletion-yanking-and-more/

simonw added the bug Something isn't working label Aug 9, 2021

simonw closed this as completed in 233a07e Aug 9, 2021

simonw added a commit that referenced this issue Aug 9, 2021

Release 0.1.1

ea89a7f

Refs #1, #2

simonw added a commit to simonw/latest-datasette-with-all-plugins that referenced this issue Aug 9, 2021

datasette-query-links>=0.1.1

cd6074e

Fix for security issue in simonw/datasette-query-links#2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dumb XSS hole #2

Dumb XSS hole #2

simonw commented Aug 9, 2021

simonw commented Aug 9, 2021

simonw commented Aug 9, 2021

simonw commented Aug 9, 2021

Dumb XSS hole #2

Dumb XSS hole #2

Comments

simonw commented Aug 9, 2021

simonw commented Aug 9, 2021

simonw commented Aug 9, 2021

simonw commented Aug 9, 2021