-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JavaScript injection vulnerability #880
Comments
yow, thanks for finding and reporting! will fix. |
fortunately, bridgy has no login, user sessions, or any other browser-side credentials or state that could be exploited with this.... but still, definitely worth fixing regardless. |
Thanks for taking care of this and also thank you for having created this neat service 👍 |
thanks again @freekmurze! |
example: https://brid.gy/twitter/freekmurze?responses_before=2019-07-14T01:08:21.055275#responses note the escaped |
helps prevent XSSes. for snarfed/bridgy#880
As part of snarfed#880, we added a check to ensure that we would not be subject to Cross-Site Scripting attacks (XSS). However, as noted in snarfed#936, a post that does contain HTML is still being rejected. The simplest way to get around this is to escape the tags with the HTML entities corresponding with them, so they can be safely rendered. Closes snarfed#936.
When somebody creates a webmention by tweeting some JavaScript code, that JavaScript code is actually being executed.
You can find an example on my account: https://brid.gy/twitter/freekmurze
Look for the interaction with this tweet: https://twitter.com/enunomaduro/status/1150157457664008192
The text was updated successfully, but these errors were encountered: