Open zbuc opened 9 years ago
basilfx
commented
9 years ago It would be easy to fix, but that would mean that we have to come up with a safe alternative for embedding links in log messages (as is the case with searchers). Any thoughts on this, @rembo10?
rembo10
commented
9 years ago Are we still even embedding links in the logs anymore? I think it's probably better just to disable them
rembo10
commented
9 years ago Oh yeah - and I think any time it's sent to the downloader that's a link too. I think we can take those out. What do you think?
RollingStar
commented
8 years ago What real-world problems does XSS here cause? Is it having a Headphones server accessible over the Internet, and having someone else insert malicious links through special search queries?
zbuc
commented
8 years ago Yes, or somebody inserting something malicious on a site Headphones searches.
Unlikely but worth fixing regardless. Adding HTML entity encoding should fix it.
Sent from my iPhone
On Jan 10, 2016, at 2:25 AM, RollingStar notifications@github.com wrote:
What real-world problems does XSS here cause? Is it having a Headphones server accessible over the Internet, and having someone else insert malicious links through special search queries?
— Reply to this email directly or view it on GitHub.
Try searching for something like
</script><script type=text/javascript>alert(123)</script><a href=# onmouseover=alert(1234)>lololol</a>and then viewing the logs. There will be a link that will pop up a message when moused over.I recommend using HTML encoding on user input being output to the screen whenever possible, see https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet for guidelines on preventing XSS in web apps.
See https://docs.python.org/2/library/cgi.html#cgi.escape a method in Python that could be used at the template layer.