iFargle
commented
1 year ago Same issue. I'll get it fixed shortly!
Closed apollo13 closed 1 year ago
iFargle
commented
1 year ago Same issue. I'll get it fixed shortly!
iFargle
commented
1 year ago Fixed :) thanks for pointing this out!
apollo13
commented
1 year ago Hi @iFargle, thank you for the fix. I see that you are using + operations to concat strings to construct HTML. An attacker can use this to inject other HTML or Javascript (consider someone setting a user_name to <b>apollo13</b> which would show up as bold). Granted the username per se is a bad example because headscale itself might forbid such usernames. Nevertheless, why open yourself for a potential vulnerability in a security sensitive UI. If you were to use Jinja for templating with escaping enabled you'd at least fix 90% of such issues.
iFargle
commented
1 year ago Interesting... I'm very new to programming. I'll take all the help I can get! I'll look into this. If I can figure it out I'll push some fixes. Thank you!
apollo13
commented
1 year ago That is a great attitude! Feel free to tag me on PR where you want some reviews, I cannot always answer in a timely manner but I'll try 😊
On Sun, Mar 5, 2023, at 01:20, Albert Copeland wrote:
Interesting... I'm very new to programming. I'll take all the help I can get! I'll look into this. If I can figure it out I'll push some fixes. Thank you!
— Reply to this email directly, view it on GitHub https://github.com/iFargle/headscale-webui/issues/38#issuecomment-1454934134, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAT5C4IP3PGAK3DKDO5SMDW2PL35ANCNFSM6AAAAAAVOZ6NLA. You are receiving this because you authored the thread.Message ID: @.***>
When I try to add a pre-auth key an empty window pops up and nothing happens:
The js console & server logs show no issues.