Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The Not allowed to load local resource exception is thrown on an attempt to insert a script to a form's title #5285

Closed
JaneSjs opened this issue Mar 1, 2024 · 6 comments · Fixed by #5292
Closed

The Not allowed to load local resource exception is thrown on an attempt to insert a script to a form's title #5285

JaneSjs opened this issue Mar 1, 2024 · 6 comments · Fixed by #5292
Assignees
@novikov82
Labels
bug user issue An issue or bug reported by users.
Milestone
v1.9.133

Comments

@JaneSjs
Copy link
Contributor

JaneSjs commented Mar 1, 2024

T17063 - xss script in title
https://surveyjs.answerdesk.io/internal/ticket/details/T17063

image
@JaneSjs JaneSjs added the user issue An issue or bug reported by users. label Mar 1, 2024
novikov82 added a commit that referenced this issue Mar 1, 2024
@novikov82
#5285 The Not allowed to load local resource exception is thrown on a…
369b503 
…n attempt to insert a script to a form's title

Fixes #5285
@novikov82 novikov82 mentioned this issue Mar 1, 2024
Merged
novikov82 added a commit that referenced this issue Mar 1, 2024
@novikov82
#5285 The Not allowed to load local resource exception is thrown on a…
b7a150c 
…n attempt to insert a script to a form's title (#5292)

Fixes #5285
@srop
Copy link

srop commented Mar 4, 2024

@novikov82 >"><img src="x:x" onerror="alert(document.cookie)"> cloud you try to ctrl+v this script . Alert cookie is still found
Screenshot 2567-03-04 at 07 59 08

@novikov82
Copy link
Contributor

novikov82 commented Mar 4, 2024
edited by JaneSjs
Loading

@srop
The issue is done and closed but has not been released yet. Please wait for the v1.9.133 release. It is expected to be available in the middle of this week.

@JaneSjs
Copy link
Contributor Author

JaneSjs commented Mar 4, 2024

+1 T17086 - xss in title is still alert cookie
https://surveyjs.answerdesk.io/internal/ticket/details/T17086

@JaneSjs
Copy link
Contributor Author

JaneSjs commented Mar 5, 2024

+1 T17109 - Application is vulnerable to Cross-Site Scripting attack.
https://surveyjs.answerdesk.io/internal/ticket/details/T17109

@JaneSjs JaneSjs added the bug label Mar 5, 2024
@srop
Copy link

srop commented Mar 6, 2024
edited
Loading

@JaneSjs @novikov82

Thank you for new version to v1.9.133. I try again but that issue is still found, when i ctrl+v >"><img src="x:x" onerror="alert(document.cookie)"> this script on surveyjs creator at survey title . You can try on your website . Please help to fix ASAP because i cannot deploy on my production .

Screenshot 2567-03-06 at 22 04 53

Thank you

@novikov82
Copy link
Contributor

@srop We updated our site with new version about 1 hour ago. Please try again.

@OlgaLarina OlgaLarina added this to the v1.9.133 milestone Mar 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@novikov82 novikov82

Labels
bug user issue An issue or bug reported by users.
Projects
None yet
Milestone
v1.9.133
4 participants
@srop @OlgaLarina @JaneSjs @novikov82