Closed Ibochkarev closed 5 years ago
I think this is a duplicate of #14094 that was fixed in #14336 just 22 hours ago? Can you still reproduce in the latest 2.x?
@Mark-H
Still found:
In Content types - /manager/?a=system/contenttype
In Profile - /manager/?a=security/forms
In the panels - /manager/?a=system/dashboards
In access policy - /manager/?a=security/permission
In the parameter sets - /manager/?a=element/propertyset
In lexicons - /manager/?a=workspaces/lexicon
In namespaces - /manager/?a=workspaces/namespace
I will try to test the latest version of github and try to fix it myself on the weekend!
I've created PR #14344 that applies XSS protection for all grid columns by default. There are still places where object names are inserted into a header dynamically, without running them through htmlEncode, so those will still need manual fixing.
@Mark-H It is excellent!
Fix to #14344
Bug report
Summary
Stored XSS: Media Source
Step to reproduce
Go to the Media menu, then media sources. Create or edit an existing media source and insert
<img src=# onerror=alert(1); />
Observed behavior
The application processes the html tags or scripts and it is getting stored in the database.
Expected behavior
It should not accept any scripts or html tags.
Environment
MODX Revolution 2.7.0-pl