The security related issues with the API scripts

[mudrd8mz]

The scripts setHistory.php and getHtml.php in the "api" directory can be easily abused. It seems trivial to feed the chatbot_dialogflow table with malicious contents and then display it as a raw HTML. This represents a surface for a wide range of known attacks including XSS.

[somiceast]

Hi,@mudrd8mz Curious about your moodle version. My website installed the plugin and set the parameters successfully, but it cannot representated the dialogflow chatbot interface. I don't know what happened, I'll be glad to hear your professional idea.

The scripts setHistory.php and getHtml.php in the "api" directory can be easily abused. It seems trivial to feed the chatbot_dialogflow table with malicious contents and then display it as a raw HTML. This represents a surface for a wide range of known attacks including XSS.