search

LaravelDaily / Laraquiz-QuickAdminPanel

Laravel 5.6 based quiz system - generated with QuickAdmin https://quickadminpanel.com
http://laraquiz.com
226 stars 144 forks source link

Bug DOM XSS (Cross-site Scripting) in show.blade.php #18

Closed lavie3k closed 3 years ago

lavie3k commented 3 years ago

Hello,

I have found a security hole in the result display function. Line 40: {!! $result->question->code_snippet }}

Please use: {{ $result->question->code_snippet }}

PovilasKorop commented 3 years ago

@lavie3k this assumes that the question details will come from the administrator and that administrator won't hack his own system :)