Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS Issues #50

Closed
nlipke opened this issue Nov 26, 2013 · 4 comments
Closed

XSS Issues #50

nlipke opened this issue Nov 26, 2013 · 4 comments

Comments

@nlipke
Copy link

nlipke commented Nov 26, 2013

I found 3 area with XSS.

  1. Create an Model with a name of <script>alert('a')</script>
    1a. Click Delete the alert pops up twice
    1b. Add an asset and click on the models drop down the alert shows up
  2. Create an Asset with a name of <script>alert(1)</script>
    2a. Click Delete, the alert shows up twice
@nlipke
Copy link
Author

nlipke commented Nov 26, 2013

I found another one. Set the user's first name to <script>alert('x')</script> and you'll get an alert on pretty much every page.

@nlipke
Copy link
Author

nlipke commented Nov 26, 2013

Group name too.

@snipe snipe closed this as completed in 4d1dd1c Nov 26, 2013
@nlipke
Copy link
Author

nlipke commented Nov 26, 2013

Asset tag still has the issue

snipe added a commit that referenced this issue Nov 26, 2013
@snipe
Fixes #50
5bf38b1
@snipe
Copy link
Owner

snipe commented Nov 26, 2013

I spent some time with this this evening because it was bugging the shit out of me. Weird thing is, the content WAS being escaped on the way out (as you could see from the HTML of course). jquery was actually doing Very Bad Things and sort of re-assembling it.

I ended up backing out my alpha_dash changes from earlier, since the laravel validator (stupidly) doesn't have a version of alpha_dash that also allows spaces, and without it, it's too constrictive. I'll be writing a custom validator to reject funky characters at some point soon.

Thanks for drawing my attention to this. Was a real titty-twister for much of the night, since I could see the HTML was being escaped.

@zmorrow zmorrow mentioned this issue May 20, 2016
Closed
2 tasks
@ghost ghost mentioned this issue Jun 9, 2016
Closed
2 tasks
@brianjking brianjking mentioned this issue Jun 16, 2016
Closed
2 tasks
@veen1981 veen1981 mentioned this issue Jun 28, 2016
Closed
2 tasks
@veen1981 veen1981 mentioned this issue Jul 7, 2016
Closed
2 tasks
@veen1981 veen1981 mentioned this issue Jul 18, 2016
Closed
This was referenced Jul 19, 2016
Closed
Closed
@bioldame bioldame mentioned this issue Jul 26, 2016
Closed
@raulalmaraz raulalmaraz mentioned this issue Aug 30, 2016
Closed
@UntrustedRoot UntrustedRoot mentioned this issue Sep 1, 2016
Closed
2 tasks
@ti1000 ti1000 mentioned this issue Sep 2, 2016
Closed
@eantong eantong mentioned this issue Sep 12, 2016
Closed
This was referenced Oct 25, 2016
Closed
Closed
@Louuu Louuu mentioned this issue Oct 27, 2016
Closed
@Openclutch Openclutch mentioned this issue Nov 17, 2016
Closed
2 tasks
@jeremycpnap jeremycpnap mentioned this issue Nov 17, 2016
Closed
2 tasks
@techc0de techc0de mentioned this issue Nov 29, 2016
Closed
1 task
@Rici11 Rici11 mentioned this issue Nov 30, 2016
Closed
2 tasks
@Lakshman2309 Lakshman2309 mentioned this issue Dec 23, 2016
Closed
@xxtheatrainxx xxtheatrainxx mentioned this issue Dec 27, 2016
Closed
@MoazzamMuhammadKhan MoazzamMuhammadKhan mentioned this issue Jan 1, 2017
Closed
@yserobyan yserobyan mentioned this issue Sep 6, 2022
Closed
2 tasks
@xiyang203 xiyang203 mentioned this issue Nov 15, 2022
Closed
2 tasks
@CoventryIT CoventryIT mentioned this issue Jan 13, 2023
Closed
2 tasks
@cookierun22 cookierun22 mentioned this issue Jan 28, 2023
Closed
2 tasks
@Bjufen Bjufen mentioned this issue Feb 9, 2023
Closed
2 tasks
@ShamindraAd ShamindraAd mentioned this issue Feb 10, 2023
Closed
2 tasks
@urbaned121 urbaned121 mentioned this issue Feb 14, 2023
Open
2 tasks
@micuim123 micuim123 mentioned this issue Feb 27, 2023
Closed
2 tasks
@jayavman jayavman mentioned this issue Mar 27, 2023
Open
@rkthamizhan rkthamizhan mentioned this issue Apr 16, 2023
Closed
2 tasks
@jarrodCoombes jarrodCoombes mentioned this issue May 2, 2023
Closed
2 tasks
@jayavman jayavman mentioned this issue Jun 26, 2023
Closed
2 tasks
This was referenced Aug 22, 2023
Closed
Closed
@jayavman jayavman mentioned this issue Sep 2, 2023
Open
2 tasks
@thehazzard01 thehazzard01 mentioned this issue Oct 24, 2023
Closed
2 tasks
@JakeOktana JakeOktana mentioned this issue Nov 16, 2023
Closed
2 tasks
@ghost ghost mentioned this issue Jan 11, 2024
Closed
2 tasks
@sysadminpower2019 sysadminpower2019 mentioned this issue Jan 29, 2024
Closed
2 tasks
@manhvt20 manhvt20 mentioned this issue Mar 18, 2024
Closed
2 tasks
@struett1 struett1 mentioned this issue Mar 25, 2024
Open
2 tasks
@uglycrab uglycrab mentioned this issue Mar 27, 2024
Open
2 tasks
@itdivtieclo itdivtieclo mentioned this issue May 8, 2024
Closed
2 tasks
This was referenced Jun 20, 2024
Open
Merged
Closed
@fabriziofinos fabriziofinos mentioned this issue Jun 27, 2024
Closed
2 tasks
@jayavman jayavman mentioned this issue Jul 8, 2024
Closed
2 tasks
@derbohesevincent derbohesevincent mentioned this issue Sep 30, 2024
Closed
2 tasks
@jaisanjay0 jaisanjay0 mentioned this issue Nov 1, 2024
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@snipe @nlipke