search

bo-blog / bw

Bo-blog Wind Version
MIT License
95 stars 21 forks source link

There is a xss vulnerability #105

Closed willgoSe closed 5 years ago

willgoSe commented 5 years ago

There is Self-Stored Cross Site Scripting (XSS) vulnerability. When the author uploads the essay contains the script code, the browsers will execute these script code. Poc:

Everyone navigate to the blog page, Payload would be triggered:

2019-02-17 16 14 53 2019-02-17 16 14 56
bo-blog commented 5 years ago

This is an expected behaviour. That’s what an Author can do. An author can post anything including HTML and JavaScript. This is a self-hosted blog which the owner has full control. It is not a shared blogging platform like Medium where you need to consider blocking the malicious usage.