[Bounty] Tronscan V2 - Able to put invalid characters in Representative Website URL - Githubissues

Rovak / wallet-web

Tron Protocol Wallet

https://tronscan.org

GNU Lesser General Public License v3.0

55 stars 29 forks source link

[Bounty] Tronscan V2 - Able to put invalid characters in Representative Website URL #236

Open robincarlo84 opened 6 years ago

robincarlo84 commented 6 years ago

Bug Report

As you can see on the screenshot, you are able to put invalid characters in the Website URL field

Not sanitizing the input fields makes your site prone to XSS Injections.

You can reproduce this by:

Apply to be a super representative candidate
Enter a valid website address. e.g. https://www.sample-url.com
Once application is approved, go back to your account then change website
Change website with this: "><img src=d onerror=prompt(document.cookie);> Note: include double quote(") char.

OS

Mac

Browser

Chrome FF Safari

Reward Information

Voluntary donation: 0x6562eb37a210a0949fd502f2a746284a38f4e9cc Email: robincarlo84@gmail.com