Closed ghost closed 5 years ago
https://github.com/roenw/PiPass/pull/53 created a pull request for this.. only applied it on Blockpage/index.php
Thanks for this. Although I consider PiPass a home-grade software, security is definitely a priority. I’ll look into merging this into 1.3.5 in the coming days.
Thanks for this. Although I consider PiPass a home-grade software, security is definitely a priority. I’ll look into merging this into 1.3.5 in the coming days.
I've assumed that :), but still wanted to include that in. I updated the request since, i've noticed that it was breaking white listing. I just HTML encoded the $url variable.
@VoIP Cool, I'll make some commits to your repo tonight and merge it if I have time. No promises :)
Describe the bug A XSS Bug exists on "Blacklisted URL" To Reproduce Steps to reproduce the behavior: http://localhost/blockpage/?url=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
Expected behavior Non injectable html
Desktop (please complete the following information): All Browsers
Additional context Either using a sanitizer tool like: https://www.owasp.org/index.php/OWASP_PHP_Filters or htmlspecialchars() function