search

cross-solution / YAWIK

YAWIK is a web application. It can be used as an ATS applicant tracking system or as a jobboard.
https://yawik.org
MIT License
125 stars 67 forks source link

InputFilter in AtsMode Form does not seem to work #553

Closed cbleek closed 4 years ago

cbleek commented 5 years ago

Demo Database contains:

        "atsMode" : {
                "mode" : "uri",
                "uri" : "javascript:alert('xss');\"><script>alert('xss');</script><iframe src=\"https://www.yawik.org\"><rel=\"",
                "email" : "test@example.com",
                "oneClickApply" : false,
                "oneClickApplyProfiles" : {

                }
        },

URI Mode contains the InputFilter StripTags. It seems, the filter does not work.

https://github.com/cross-solution/YAWIK/blob/master/module/Jobs/src/Form/InputFilter/AtsMode.php#L68

BTW: MODE_EMAIL should use an InputFilter, too.

Auswahl_237

mbo-s commented 5 years ago

@cbleek This looks like the test data from https://github.com/cross-solution/YAWIK/issues/514

cbleek commented 4 years ago

this was fixed