tvorogme
commented
1 year ago Hi! Why do we need this? All NFTs with filenames are moderated. While it's not moderated, it will not be available for any user.
Open LetikGit opened 1 year ago
tvorogme
commented
1 year ago Hi! Why do we need this? All NFTs with filenames are moderated. While it's not moderated, it will not be available for any user.
LetikGit
commented
1 year ago If you trusted your checks and filtred filename then it's ok
Because filename add's to styles, maybe some payload can bypass your checks and exploit XSS (for example)
Bug Type
Functional
Reproduction steps
Actual result
Possible to upload any file image and made NFT with invalid image (as example: https://beta.disintar.io/object/kQC95xkZhh-9c2qOAhgX56sRTRLlefjaUM-cH1UsJ01SY3s-)
Expected result
Upload image to images server, get image ID and send image ID in request, not a file.
Suggested Severity
Critical
Device
OS: macOS Browser chrome Version 105
Additional Context
No response