Skip to content

XSS issue in Client Secrets and Api Resource Secrets #813

Closed
@skoruba

Description

In the views ClientSecret and ApiResourceSecret is not HTML encoded data attribute data-secret-value on the button:

<td><button class="secret-value-button btn btn-outline-primary" data-secret-value="clientSecret.Value"><i class="fa fa-eye"></i></button></td>

This data attribute is used in the dialog with secret detail.

Fix:

<button class="secret-value-button btn btn-outline-primary" data-secret-value="@Html.Encode(clientSecret.Value)"><i class="fa fa-eye"></i></button>

I will send this fix asap.

Thanks to Silton Santos for reporting.

Metadata

Assignees

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions