Closed minitech closed 8 years ago
You can't execute injected javascript because I've set the CSP header to prevent all inline javascript, whatever their origin.
But you found a way to inject some HTML and break the data structure passed to the page, so a fix is needed
Can you tell me precisely why you choose /<([/!])/g
instead of specifically targeting </script
?
Note that I normally prefer security breaches to be privately brought to me (on Miaou in a private room for example) before to be publicly disclosed, to limit the exposition of my users.
Landing point: https://dystroy.org/miaou/1
As far as I’m aware, just escaping </script
and <!--
is enough, so it could be changed to that if you want.
<!--
because of this, which doesn’t come into effect very often at all (certainly not here) but is still good to have in a generic inline JSON escaper:
<script>var x = "<!--<script>"</script><script>var y = "-->/;alert(1)//"</script>
Requires consecutive script blocks on the same line with consecutive JSON-encoded, user-provided strings, no semicolons, and no CSP. Still…
in user profiles, for example. I’m unable to test this right now, but hope it’s still helpful.