search

EHRI / ehri-frontend

The EHRI project's portal interface.
https://portal.ehri-project.eu
European Union Public License 1.2
14 stars 9 forks source link

XSS Injection in profile name & notes #1482

Closed ThomasThelen closed 1 year ago

ThomasThelen commented 1 year ago

Small bug where you can set your profile name to JS, which then gets executed on a page that has a note written by you.

To Reproduce:

  1. Set your profile name to <script>alert("hi")</script>
  2. Add a (non public) note somewhere
  3. Refresh the page with the note
  4. See the alert from step 1
mikesname commented 1 year ago

@ThomasThelen big thanks for finding and reporting this! I've put out a fix just now.

ThomasThelen commented 1 year ago

Thanks for the fix (and project)! I looked around the source to see if I could issue a PR-but I'm unfortunately not super familiar with scala. Looking through the commit now though, it looks nice. great work ^_^