search

modxcms / revolution

MODX Revolution - Content Management Framework
https://modx.com/
GNU General Public License v2.0
1.36k stars 529 forks source link

Stored XSS: Media Source #14341

Closed Ibochkarev closed 5 years ago

Ibochkarev commented 5 years ago

Bug report

Summary

Stored XSS: Media Source

Step to reproduce

Go to the Media menu, then media sources. Create or edit an existing media source and insert <img src=# onerror=alert(1); />

screencast 2019-02-07 16-13-07

Observed behavior

The application processes the html tags or scripts and it is getting stored in the database.

Expected behavior

It should not accept any scripts or html tags.

Environment

MODX Revolution 2.7.0-pl

Mark-H commented 5 years ago

I think this is a duplicate of #14094 that was fixed in #14336 just 22 hours ago? Can you still reproduce in the latest 2.x?

Ibochkarev commented 5 years ago

@Mark-H
Still found: In Content types - /manager/?a=system/contenttype In Profile - /manager/?a=security/forms In the panels - /manager/?a=system/dashboards In access policy - /manager/?a=security/permission In the parameter sets - /manager/?a=element/propertyset In lexicons - /manager/?a=workspaces/lexicon In namespaces - /manager/?a=workspaces/namespace

I will try to test the latest version of github and try to fix it myself on the weekend!

Mark-H commented 5 years ago

I've created PR #14344 that applies XSS protection for all grid columns by default. There are still places where object names are inserted into a header dynamically, without running them through htmlEncode, so those will still need manual fixing.

Ibochkarev commented 5 years ago

@Mark-H It is excellent!

Ibochkarev commented 5 years ago

Fix to #14344