Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix xss issues #1685 #1686

Merged
merged 2 commits into from
Feb 7, 2017
Merged

fix xss issues #1685 #1686

merged 2 commits into from
Feb 7, 2017

Conversation

daniel-wer
Copy link
Member

This PR fixes the XSS vectors I've found during my recent webknossos security review. See https://docs.google.com/presentation/d/1zTBnoy3_lTsoBfMeOz96W3bnlUtvTv2qkXrKMiu326s/edit?usp=sharing

I've also replaced all unnecessary uses of <%= in Backbone (Lodash) templates with <%- (that html encodes strings).

Steps to test:

  • XSS Vector 1

    • Sign up with a user with the name <script>alert('xss')</script>, login as another user and go to the overview page, select the team of the malicious user (and adjust the hours slider, so the user is displayed)
    • You should not see an alert when hovering over the malicious user and the popover should have linebreaks

  • XSS Vector 2

    • Create a team with the name <script>alert('xss')</script> and create a project belonging to the newly created team.
    • You should not see an alert when looking at the projects list, but instead the team name should be displayed in the table (safely escaped)

Issues:

ATTENTION: Merging this PR may close #1685 as my commit message unfortunately contains the word fix :/ If so, please reopen the issue as it contains more ToDos.

  • Ready for review

@daniel-wer daniel-wer added this to the 17_03 Multi-lab deployment management milestone Feb 5, 2017
hotzenklotz
hotzenklotz approved these changes Feb 7, 2017
View reviewed changes
Copy link
Member

@hotzenklotz hotzenklotz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@daniel-wer daniel-wer merged commit c56888a into master Feb 7, 2017
@daniel-wer daniel-wer deleted the xss branch February 7, 2017 23:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hotzenklotz hotzenklotz hotzenklotz approved these changes

Assignees
No one assigned
Labels
enhancement frontend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enhance webknossos security
2 participants
@daniel-wer @hotzenklotz