search

instructure / canvas-lms

The open LMS by Instructure, Inc.
https://github.com/instructure/canvas-lms/wiki
GNU Affero General Public License v3.0
5.42k stars 2.42k forks source link

XSS <style> Exploit using Https proxy #2266

Open MaxNiftyNine opened 8 months ago

MaxNiftyNine commented 8 months ago

Summary:

Using a https proxy, you can send a xss(kinda) in a discussions page using )

Expected behavior:

This not working

Actual behavior:

this working

Additional notes:

ccutrer commented 8 months ago

What are you expecting the solution to be here? If you're introducing a MITM that can alter content, I'm not sure there's much the application can do to protect against it. We already sanitize the content when it gets to our servers.

MaxNiftyNine commented 8 months ago

What are you expecting the solution to be here? If you're introducing a MITM that can alter content, I'm not sure there's much the application can do to protect against it. We already sanitize the content when it gets to our servers.

Is it possible to scan the text for a string like "