Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unjust XSS notice in the backend editor #2250

Closed
enovision opened this issue Nov 3, 2018 · 4 comments
Closed

Unjust XSS notice in the backend editor #2250

enovision opened this issue Nov 3, 2018 · 4 comments
Assignees
@rhukster
Labels
enhancement

Comments

@enovision
Copy link

Warning:

NOTICE: Grav found potential XSS issues in content: 'invalid_protocols'

on:

### Validation

The API performs two types of validation on submitted data:

but not on:

### Validation

The API performs two types of validation on submitted dataaaa:

It seems that data: is seen as XSS potential.
@rhukster
Copy link
Member

rhukster commented Nov 3, 2018

Yup, data URLs are often used in XSS attacks: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

They can be used in a variety of different ways, so it's not easy to write a regex to catch only the problematic methods, so the regex simply searches for data:.

However, I could add an option to configure the protocols: https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Security.php#L132

For now, this is just a warning if you are a super admin.

@rhukster rhukster self-assigned this Nov 3, 2018
rhukster added a commit that referenced this issue Nov 3, 2018
@rhukster
Added option to configure list of xss_invalid_protocols in `Securit…
472b575 
…y` config #2250
@rhukster rhukster closed this as completed Nov 3, 2018
@lisandi
Copy link
Contributor

lisandi commented Oct 16, 2021

Grav found potential XSS issues in %s

We receive that in the backend but what is %s??

@mkocus
Copy link

mkocus commented Oct 27, 2021

We've got the same warning as @lisandi.
"%s" should be supplemented by some string (probably with explanation what has been found) - but it is not.

@w00fz w00fz reopened this Oct 27, 2021
@mahagr
Copy link
Member

mahagr commented Nov 3, 2021

Fixed %s for the next version.

@mahagr mahagr closed this as completed Nov 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rhukster rhukster

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@w00fz @mahagr @rhukster @enovision @lisandi @mkocus