search

thiagoralves / OpenPLC_v3

OpenPLC Runtime version 3
1.06k stars 432 forks source link

Improve input sanitation by escaping possible HTML characters in order to prevent the embedding of custom JavasScript #152

Closed vembacher closed 3 years ago

vembacher commented 3 years ago

Issue

Currently, the input from forms can include JavaScript that is not escaped in order to prevent its execution.

For instance, it was possible to upload a program with the description:

<script>alert('xss');</script>

The code in the script tag is then executed. The same issue applies to many other fields.

Solution

I added some sanitation. The sanitation consists of using a slightly modified version of html.escape from the python 3.9 standard library.

The sanitation is applied when creating/updating data in the database with user provided input.

thiagoralves commented 3 years ago

Thanks for your contribution! I believe this should fix CVE-2021-3351 for everyone that is tracking it.