New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Stored XSS in platform name #53
Comments
|
Hello [edoardottt], Thank you for your comment. The problem can be solved applying String.removeTags(); to remove al html tags from name in both forms that you comment before submit them. example: Sure there are some of others solutions into Total.js. |
|
don't rely on these naive solutions, there are specific libraries to sanitize input. you can use symbols in fields but simply they will be rendered as pure text and not html. |
|
Hi @edoardottt. Thank you for the report. I can't reproduce this issue because I think that it's related to the previous issue with the user name. I found a bug in a helper (on FE) for generating name initials. |
|
@petersirka exactly, if in the same instance you have injected the payload in user name this issue is not exploitable (because it's impossible to reach the settings). I had to deploy a new instance from scratch. |
|
Closing. Again, thank you for the report. |
Tested version: b80b09d (latest)
Steps to reproduce the vulnerability:
"><img src=x onerror=alert(document.domain)>as platform name and save.The text was updated successfully, but these errors were encountered: