search

bluffingo / OpenSB

The Open SquareBracket Software
https://squarebracket.pw/
GNU Affero General Public License v3.0
4 stars 5 forks source link

XSS vulns #119

Closed grkb-chaziz closed 2 years ago

grkb-chaziz commented 2 years ago

Comments on watch.php (fixed)

image image

Display names on user.php

image image

ghost commented 2 years ago

lol

Hedy88 commented 2 years ago

yooo, this is epic. time to self host DVWA and practice my XSS skills :him:

grkb-chaziz commented 2 years ago

ok so I fixed the XSS for comments but display names XSS seems to be hit or miss.

this will be closed when i will blacklist any unusual symbols for display names

grkb-chaziz commented 2 years ago

apparently comments XSS was due to how the twig template file was made. so it didn’t filter anything whatsoever. don’t know why was it added, and when was it added.

grkb-chaziz commented 2 years ago

OH MY FUCKING GOD

image