Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS issue in Client Secrets and Api Resource Secrets #813

Closed
skoruba opened this issue Mar 11, 2021 · 1 comment
Closed

XSS issue in Client Secrets and Api Resource Secrets #813

skoruba opened this issue Mar 11, 2021 · 1 comment
Assignees

Comments

@skoruba
Copy link
Owner

skoruba commented Mar 11, 2021

In the views ClientSecret and ApiResourceSecret is not HTML encoded data attribute data-secret-value on the button:

<td><button class="secret-value-button btn btn-outline-primary" data-secret-value="clientSecret.Value"><i class="fa fa-eye"></i></button></td>

This data attribute is used in the dialog with secret detail.

Fix:

<button class="secret-value-button btn btn-outline-primary" data-secret-value="@Html.Encode(clientSecret.Value)"><i class="fa fa-eye"></i></button>

I will send this fix asap.

Thanks to Silton Santos for reporting.

@skoruba skoruba self-assigned this Mar 11, 2021
b0 added a commit to b0/IdentityServer4.Admin that referenced this issue Mar 15, 2021
@skoruba skoruba closed this as completed Apr 26, 2021
@skoruba
Copy link
Owner Author

skoruba commented Apr 26, 2021

Fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant