Closed tranmh closed 4 months ago
It is possible to at creation time of static QR code to insert the following string for Filename and Text: <img src/onerror=prompt(8)> and <img src/onerror=prompt(11)>
Doing, it is proven that it is possible do XSS to other users being on the same system, if revisiting the system: https://giandonatoinverso.it/qrcode/static_qrcodes.php
I hope you have an idea how to fix it.
Thx.
I think the inputs need to be filtered. Some already are. I currently don't have time to work on the project, I invite the community to do so
PR #94 is merged. So closing.
It is possible to at creation time of static QR code to insert the following string for Filename and Text: <img src/onerror=prompt(8)> and <img src/onerror=prompt(11)>
Doing, it is proven that it is possible do XSS to other users being on the same system, if revisiting the system: https://giandonatoinverso.it/qrcode/static_qrcodes.php![image](https://github.com/giandonatoinverso/PHP-Dynamic-Qr-code/assets/10503989/83d9910d-1b62-49d3-a7e7-afbf77a80ab6)
I hope you have an idea how to fix it.
Thx.