search

decaporg / decap-cms

A Git-based CMS for Static Site Generators
https://decapcms.org
MIT License
17.9k stars 3.04k forks source link

Submissions at huntr. #5610

Closed B3EF closed 3 years ago

B3EF commented 3 years ago

Reports at Huntr report : 1 report : 2 report : 3

erezrokah commented 3 years ago

Thanks @B3EF. for the first report see https://github.com/netlify/netlify-cms/issues/4099 and https://github.com/netlify/netlify-cms/blob/dbf2920254fb3682e12463a6df8ded4b94b55be0/packages/netlify-cms-widget-markdown/src/MarkdownPreview.js#L21

Looking into the others ones.

Also see https://github.com/netlify/netlify-cms/issues/5570

B3EF commented 3 years ago

hi @erezrokah the pr #4099 seems that its been fixed but , lately while i was testing in the new one , it seems to be popping up alerts for objects other than custom strings in the alert box.

erezrokah commented 3 years ago

hi @erezrokah the pr #4099 seems that its been fixed but , lately while i was testing in the new one , it seems to be popping up alerts for objects other than custom strings in the alert box.

Are you setting the sanitize_preview configuration for the markdown field?

B3EF commented 3 years ago

yes i have tried changing the preview from rich text to md , then also the alert pops up.

erezrokah commented 3 years ago

Can you share your config.yml?

B3EF commented 3 years ago

yes you are right seems like i haven't set the sanitize_preview in the config.yml file ? how can i add it ? is there any syntax to be followed like sanitize_preview : true ?

erezrokah commented 3 years ago

On your markdown field add sanitize_preview: true e.g.

- { label: 'Body', name: 'body', widget: 'markdown', sanitize_preview: true }
B3EF commented 3 years ago

Is your demo site configured with sanitize_preview true ? Because I am getting pop up in that. IMG_20210712_224347.jpg

erezrokah commented 3 years ago

Is your demo site configured with sanitize_preview true ? Because I am getting pop up in that.

No it's not - see https://github.com/netlify/netlify-cms/blob/b94d5f6e7fe07a2816098b377b30a4ddd39c9520/dev-test/config.yml

B3EF commented 3 years ago

then you are right , it was a mistake from my side thanks for your time.

B3EF commented 3 years ago

i will close the first report , or you can invalidate it. cheers 👍🏻

B3EF commented 3 years ago

have you checked the other ones?

erezrokah commented 3 years ago

i will close the first report , or you can invalidate it. cheers 👍🏻

Thanks!

have you checked the other ones?

I've passed them to our security team for further analysis. I'll add my thoughts on the specific reports too.

B3EF commented 3 years ago

Hi @erezrokah , huntr have reduced the severity level for both.

B3EF commented 3 years ago

hi , any updates.

erezrokah commented 3 years ago

Hi @B3EF, sorry for the delay. I was out of office for a few days. I'll follow up this week

B3EF commented 3 years ago

No problem , take your time.

erezrokah commented 3 years ago

Closing per my latest comments on huntr