XSS on Login Page

[dbohannon]

The default Login page provided by Flask-User at /users/sign-in is vulnerable to cross-site scripting attacks. Specifically, when navigating to a page that requires authentication, an unauthenticated user is redirected to the /users/sign-in and the originally requested URL is reflected onto the page. Arbitrary content can be written to the page by adding query params containing malicious HTML to the original URL. For example, if the /profile route is protected:

http://localhost/profile?hack=<img src=x onerror=alert('XSS_SUCCESS')></img>

Tested using Firefox and Flask-User v0.6

[ghost]

Is there a solution for this issue?

[pacocampo]

Any news for this issue? Thank you!

[ghost]

@dbohannon I have tested this with Flask (0.12.2) and Flask-User (0.6.20) and this type of XSS doesn't work. At least if you follow a few rules:

• avoid generating html without Jinja2
• avoid sending out data from uploaded files
• avoid using the Markup class on not verified data sent by a user
• always quote the attributes values in your templates, when Jinja expressions are used within, otherwise an attacker could easily inject either JavaScript code or CSS

@dbohannon Could you please also make a test with 0.6.20 and confirm?