Stored XSS in comments section https://publiclab.org/questions #3549
Comments
|
Thanks for opening your first issue here! Please follow the issue template to help us help you 👍🎉😄 |
jywarren
added
bug
|
Hi! Thank you! I'm going to move your comment to our staging server so it doesn't impact real people posting on PublicLab.org: It's now at: https://stable.publiclab.org/notes/bkleist/04-04-2017/uwec-air-quality-monitoring#c17379 The offending string was: <img src=x onerror=prompt(133)>I'm going to make a test which demonstrates this, so it can be fixed in the template file; I wonder if it has to do with the hidden plots2/app/views/notes/_comment.html.erb Lines 120 to 121 in 6595ef3 |
|
I think we should be filtering some parameters here: plots2/app/helpers/application_helper.rb Lines 102 to 107 in 2fd9e45 here, would we filter out attributes like |
|
OK! I've demonstrated the vulnerability in a unit test here: #3553 I believe we can use the https://guides.rubyonrails.org/security.html#html-javascript-injection-countermeasures Be sure we whitelist everything we really need, like @vsk4 did you want to give this one a try? If so, try building on the branch in the PR above -- that way if you succeed, you should be able to get that test to pass. But first, you could experiment in a Rails console locally, by using variations of the Thanks again! |
jywarren
added
help wanted
|
Great, so sanitize() can now go in comment.rb, here Line 335 in f78d53e |
|
@jywarren can you be clear where should I insert sanitize()? |
|
I believe on the output (last line) of comment.rb's `render_body` method!
…On Thu, Oct 4, 2018 at 2:29 PM SAI KUMAR ***@***.***> wrote:
@jywarren <https://github.com/jywarren> can you be clear where should I
insert sanitize()?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3549 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AABfJ_GWSJxUIE4CXMuBqlePsP7tounLks5uhlN5gaJpZM4XBUik>
.
|
|
So I tried this with a badly formatted comment but it removed the markdown formatting too. I think we may need to somehow go through the HTML and ensure it's properly nested... :-/ |
|
And note that if we do use
|
|
And note that if we do use
Aha! The answer to closing unclosed tags is:
This is for a distinct issue and we should add it too, in |
|
Hello @vsk4, I see this is listed as a first-timers-only issue in your GCI mentor application. If you can read over some of these docs, you'll see that such issues follow a format to welcome someone else into the project, so if you're interested in being a mentor, please give this a try! We're happy to help and we're grateful for your involvement. You can read a bit more about this here: A first-timers-only issue like these is simple, self-contained, and has specific step-by-step formatting, in order to be a great entry point for a new contributor. If you're familiar enough with this code, please consider formatting a first-timers-only issue, and then ping @publiclab/reviewers to get it labelled. If you've already done this in another issue, that's fine, just either update your application form or respond to this comment with a link to your FTO issue and I'll update my data. Thanks a lot! |
|
Thank you @jywarren as of now I am not interested to be as a mentor for GCI. Thank you for helping me out. I would love to contribute to the Public Lab� community mostly in security issues 😃 |
|
Thank you, we'd LOVE to have your help! 🎉 |
|
thank you! We'd love your help :-)
…On Sun, Oct 21, 2018 at 1:42 AM SAI KUMAR ***@***.***> wrote:
Thank you @jywarren <https://github.com/jywarren> as of now I am not
interested to be as a mentor for GCI. Thank you for helping me out. I would
love to contribute to the Public Lab� community mostly in security issues
😃
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3549 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AABfJ3O6IGmr08xGShYZXtTGQGqHiHL4ks5unAkMgaJpZM4XBUik>
.
|
|
Fixed in #7282 |
Please describe the problem (or idea)
The comment section is vulnerable to stored - XSS
I tried to comment in here and pasted simple XSS payload and uploaded the comment, after refreshing the page it got executed.
While taking the input for the comment, filtering of input does not happen so that XSS script is executed.
Filtering of script and no pop up when a payload(testing script) is applied.
See the deadly effects of Stored XSS here
Please show us where to look
click on this link to see the Stored -XSS
Screenshots :-
https://publiclab.org/questions
What's your PublicLab.org username?
herovsk4
please have a look at this link for more information on XSS.
Filter the input containing Script tags like <,>-,% and all other payload inputs.
Browser, version, and operating system
Safari, chrome and firefox
Thank you!
Your help makes Public Lab better! We deeply appreciate your helping refine and improve this site.
To learn how to write really great issues, which increases the chances they'll be resolved, see:
https://publiclab.org/wiki/developers#Contributing+for+non-coders
The text was updated successfully, but these errors were encountered: