How? Create a test, have XSS in the AS name of the IP or nameserver IP, send /connection/finished/$test_id to the victim. But since nothing really runs on http://conn. this is not really a security issue in this special case.
Probably change HttpResponse and json.dumps to JsonResponse.
Update: There does not seem to be ASN's with XSS in the name.
$ curl -sSfA 'Mozilla/5.0 (compatible; HumanWithCurl/0.1; +https://github.com/internetstandards/Internet.nl/issues/1422)' --compressed https://bgp.tools/asns.csv | grep '<'
AS134084,Bani Networks LTD < Internet Service Provider >,Eyeball,BD
AS64052,Bani Networks LTD < Internet Service Provider >,Unknown,BD
Update2: according to @mxsasha IRRD 4 validates AS names and has some check in place to prevent XSS in AS names, so this almost gets impossible to abuse.
Update3: but as descr is used, this is not filtered as heavy, but apparently nobody has been able to put XSS in their as-desc?
Risks of XSS.
How? Create a test, have XSS in the AS name of the IP or nameserver IP, send
/connection/finished/$test_id
to the victim. But since nothing really runs on http://conn. this is not really a security issue in this special case.https://github.com/internetstandards/Internet.nl/blob/92260908b253b1c9c21848d1ca3ee856b748a180/interface/views/connection.py#L287-L295
Probably change
HttpResponse
andjson.dumps
toJsonResponse
.Update: There does not seem to be ASN's with XSS in the name.
Update2: according to @mxsasha IRRD 4 validates AS names and has some check in place to prevent XSS in AS names, so this almost gets impossible to abuse.
Update3: but as descr is used, this is not filtered as heavy, but apparently nobody has been able to put XSS in their as-desc?