This only affects the malicious user, on submitting and on the next time the page is accessed. More info below.
Current situation
When signing up for an activity, the user can (if enabled) provide more information in a text-field. When the user types something like huh what if I <script>alert("Geoffry was sadly forgotten in my last PR")</script>, that code will be executed successfully.
It's a bug, not a security issue
Initial tests (at Jun 22, 21:00 or so) were done by injecting the script using the test@svsticky.nl account in a random activity on the staged branch. On submitting and on the next time the page was accessed, the script got executed. Other reloads and page loads (and using cash clears) didn't execute the script successfully (though that part was done on a local up-to-date clone). When another user, logged in as an admin, loads the page nothing bad happens. It was assumed by multiple people that the JS Injection thus only works on client-side.
It might be possible that in more scenario's JS injection is possible, however.
This only affects the malicious user, on submitting and on the next time the page is accessed. More info below.
Current situation
When signing up for an activity, the user can (if enabled) provide more information in a text-field. When the user types something like
huh what if I <script>alert("Geoffry was sadly forgotten in my last PR")</script>, that code will be executed successfully.It's a bug, not a security issue
Initial tests (at Jun 22, 21:00 or so) were done by injecting the script using the test@svsticky.nl account in a random activity on the staged branch. On submitting and on the next time the page was accessed, the script got executed. Other reloads and page loads (and using cash clears) didn't execute the script successfully (though that part was done on a local up-to-date clone). When another user, logged in as an admin, loads the page nothing bad happens. It was assumed by multiple people that the JS Injection thus only works on client-side.
It might be possible that in more scenario's JS injection is possible, however.