marcosptf
commented
5 years ago this issue fixed on pr https://github.com/rochacbruno/quokka/pull/678
Open HatBoy opened 5 years ago
marcosptf
commented
5 years ago this issue fixed on pr https://github.com/rochacbruno/quokka/pull/678
Hi, I would like to report Cross Site Scripting vulnerability in latest release. Description: Cross-site scripting (XSS) vulnerability inquokka/admin/actions.py 90, 151 line, Because there is no filter username. The vulnerability code is:
flash(Markup( f'Profile block for {user["username"]} ' f'Created at: ' f'<a href="{newlink}">{new.inserted_id}</a>' ))Steps To Reproduce: 1.Create a user, username is xss payload, like: 2.Select the username and Create user profile block, then trigger the payload.
author by jin.dong@dbappsecurity.com.cn