Open linkmauve opened 8 years ago
Thank you for the report @linkmauve. Do you think you might be able to propose a fix?
Can you confirm if this was fixed? If so, a link to the commit and/or fixing version? Also if this is related to https://github.com/candy-chat/candy/issues/498?
No-one has yet proposed a fix.
The current method makes it trivial to execute scripts for any attacker, e.g. by sending
<img src="something" onerror="alert('Hello XSS')"/>
in a room.http://xmpp.org/extensions/xep-0071.html defines a subset of elements alongside their attributes, I highly recommend you to whitelist only those and to ignore any other element or attribute you come across.