Fix profile xss - Githubissues

clowder-framework / clowder

A data management system that allows users to share, annotate, organize and analyze large collections of datasets. It provides support for extensible metadata annotation using JSON-LD and a distribute analytics event bus for automatic curation of uploaded data.

https://clowderframework.org/

University of Illinois/NCSA Open Source License

36 stars 17 forks source link

Fix profile xss #449

Open tcnichol opened 5 months ago

tcnichol commented 5 months ago

you can change the firstName and lastName to include javascript using the endpoint:

localhost:9002/api/users/662eacbe89108d20fb4cab22/updateName?firstName=bb&lastName=<script>alert('XSS')</script>

I am using an imported function. This gets rid of the javascript being called, but then the name is blank on the profile page. It may not be the right method for this, or I may be using it wrong.

longshuicy commented 5 months ago

@lmarini and I looked together on other possible places related to this bug and realize that sometime it's unnecessary for the frontend template to use @Html(). It should just render it as plain text instead of as html tags.

The only exception I can think of is Customize the "welcome" page.
Maybe even for the places that needs "html" tag, we can exclude Githubissues.
Githubissues is a development platform for aggregating issues.