google-code-export / gaewiki

Automatically exported from code.google.com/p/gaewiki
1 stars 0 forks source link

No xss protection #92

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Go to the live demo at http://gaewiki-demo.appspot.com/Sandbox
2. Press edit
3. type in *any* malicious or xss html code into the textbox, for example
<script>alert("some dumb content")</script>
4. press edit
5. press preview (be sure *not to* press save changes)

What is the expected output? What do you see instead?
The expected output is that the code will be stripped out using some sort of 
sanitizer. However, I managed to save the code and actually let it execute on 
every single page load (I've deleted it afterwards, no worries)

What version of the product are you using? On what operating system?
Chrome 31.0 on windows.

Please provide any additional information below.
You can use an HTML sanitizer to remove the script tags, or blacklist the 
characters < > and ; that'll stop the xss for a while

Original issue reported on code.google.com by mark.ver...@gmail.com on 10 Dec 2013 at 8:08