Closed RikunjSindhwad closed 3 years ago
The demo site is basically a sandbox, which is constantly deleted and recreated. But hurting someone with script injection is a valid point, so description and content in the post editor has been sanitized to not allow scripting.
Stored XSS As website is still in dev it won't be an issue. but ppl can access this website including you and due to arbitrary JavaScript execution attacker can take control over browser and maybe your system. attacker can send malicious request using your browser. so its better to remove access to admin layout to everyone
POC
https://demo.blogifier.net/posts/welcome-to-the-blogifier-demo-website above link executes a JavaScript (just a pops up)
Reference https://owasp.org/www-community/attacks/xss/