Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Config data needs to be encoded when embedded in html so you cannot inject scripts #7566

Closed
epixa opened this issue Jun 28, 2016 · 1 comment
Closed

Config data needs to be encoded when embedded in html so you cannot inject scripts #7566

epixa opened this issue Jun 28, 2016 · 1 comment
Assignees
@bevacqua
Labels
blocker v5.0.0-alpha4

Comments

@epixa
Copy link
Contributor

epixa commented Jun 28, 2016

This hasn't been released yet, but at the moment the alpha4 builds allow for script injection via configuration values from advanced settings. You should be able to trigger it by adding the following as the value for any non-json config value:

</script><script>alert('nooooo');</script>
@bevacqua bevacqua mentioned this issue Jun 28, 2016
Merged
@epixa epixa reopened this Jun 28, 2016
@epixa
Copy link
Contributor Author

epixa commented Jun 28, 2016

I reverted that PR because it doesn't pass tests (locally or on CI), so this is still an open issue.

@bevacqua bevacqua mentioned this issue Jun 29, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bevacqua bevacqua

Labels
blocker v5.0.0-alpha4
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@epixa @bevacqua