search

teamstudio / Continuity

Teamstudio's repository for the Continuity project
0 stars 0 forks source link

[Hazards] JS injection is possible via hazard name #318

Open teamstudio opened 9 years ago

teamstudio commented 9 years ago

Environment: Google Chrome 43.0.2357.81 m Windows 8.1 x64 Enterprise Continuity v 1.4.4 Account used: maxtestlioshared@gmail.com / Lovetesting1

Steps to reproduce:

  1. Login > hazards
  2. Add hazard > enter name "" > select type "Natural disaster" > save
  3. Go to Assets > add asset > click select hazard > observe alert

Expected result: JS injection shouldn't be possible

Actual result: JS alert appears, so JS injection is possible via hazard name when user selects hazard during asset creation

2015-05-27 01h13_19.mp4

teamstudio commented 9 years ago

The same:

  1. Login > assets
  2. Add asset> enter name "<script>alert('Hello, asset!');</script>" > save
  3. Go to Organization Units > mark assets checkboxes > save
  4. Observe alert on opened Organization Units page


teamstudio commented 9 years ago

Also:

  1. Login > hazards
  2. Add hazard > enter name "<script>alert('Hello, hazardname!');</script>" > select type "Natural disaster" > save
  3. Go t Business scenarios > click select hazard > observe alert


teamstudio commented 9 years ago

Also:

  1. Login > files
  2. Add file> enter file description "<script>alert('Hello, file description!');</script>" > save
  3. Observe alert on Files page


teamstudio commented 9 years ago

Also the same actual for both fields Task name and Task Description



teamstudio commented 9 years ago

The same for field Checklist Description at Plan checklists page


teamstudio commented 9 years ago

The same for field Responsibility description at Responsibilities page


teamstudio commented 9 years ago

The same for field "Message" on Updates page