Closed pcoutinho closed 8 years ago
Casperhr
commented
8 years ago Just talked it over with Morten, and we really can't see how this can be done unless you use directly input user input in alerts. If you use fields on model. It will be sanitised there? Is there a way we can tell them that? Cause right now we removed features in our backend. It's used to do bold / italic & links etc
@Skyback
pcoutinho
commented
8 years ago We can use the following example: you have a Message model, with title and body. On the app itself the user inputs malicious JS script on the title. As a backend user, you have the ability to edit messages. You go and edit the body of the message, and click update. Now message saying "Updated [title]". JS is ran. We are left with 2 options: we filter all the output or we stop outputting user input without being sanitised and consider this a standard. On 5 Sep 2016 08:22, Casper Rasmussen notifications@github.com wrote:Just talked it over with Morten, and we really can't see how this can be done unless you use directly input user input in alerts. If you use fields on model. It will be sanitised there? Is there a way we can tell them that? Cause right now we removed features in our backend. It's used to do bold / italic & links etc
@Skyback
—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or mute the thread.
Every $message content is now properly sanitised by the Blade templating system. This adds to XSS protection.