Closed kltm closed 2 years ago
It is currently possible to inject disrupting code into visualize that could be used to create an XSS attack for users on bad links. For example, the following URLs illustrate this, disrupting the variable creation:
https://amigo-staging.geneontology.io/visualize?mode=client_amigoquas%22--%3E %3Csvg/onload=alert(document.domain)%3E%3C!--[2] https://amigo-staging.geneontology.io/visualize?mode=client_amigoquas%22--%3E %3Csvg/onload=alert(document.domain)%3E%3C!-- [https://amigo- staging.geneontology.io/visualize?mode=client_amigoquas%22--%3E%3Csvg/ onload=alert(document.domain)%3E%3C!--]
https://amigo-staging.geneontology.io/visualize?mode=client_amigoquas%22--%3E %3Csvg/onload=alert(document.domain)%3E%3C!--[2]
https://amigo-staging.geneontology.io/visualize?mode=client_amigoquas%22--%3E %3Csvg/onload=alert(document.domain)%3E%3C!-- [https://amigo- staging.geneontology.io/visualize?mode=client_amigoquas%22--%3E%3Csvg/ onload=alert(document.domain)%3E%3C!--]
Noted on staging.
It appears to have been an error in error handling. Fix applied, tested against given URLs, and rolled out to endpoints.
No further report from LBL; closing for now.
It is currently possible to inject disrupting code into visualize that could be used to create an XSS attack for users on bad links. For example, the following URLs illustrate this, disrupting the variable creation:
https://amigo-staging.geneontology.io/visualize?mode=client_amigoquas%22--%3E %3Csvg/onload=alert(document.domain)%3E%3C!--[2]
https://amigo-staging.geneontology.io/visualize?mode=client_amigoquas%22--%3E %3Csvg/onload=alert(document.domain)%3E%3C!-- [https://amigo- staging.geneontology.io/visualize?mode=client_amigoquas%22--%3E%3Csvg/ onload=alert(document.domain)%3E%3C!--]
Noted on staging.