Closed edoardottt closed 1 year ago
Gera-G-Guiles
commented
1 year ago Hello [edoardottt], Thank you for your comment. The problem can be solved applying String.removeTags(); to remove al html tags from name in both forms that you comment before submit them.
example: form.name = form.name.removeTags();
Sure there are some of others solutions into Total.js.
edoardottt
commented
1 year ago don't rely on these naive solutions, there are specific libraries to sanitize input. you can use symbols in fields but simply they will be rendered as pure text and not html.
petersirka
commented
1 year ago Hi @edoardottt. Thank you for the report. I can't reproduce this issue because I think that it's related to the previous issue with the user name. I found a bug in a helper (on FE) for generating name initials.
edoardottt
commented
1 year ago @petersirka exactly, if in the same instance you have injected the payload in user name this issue is not exploitable (because it's impossible to reach the settings). I had to deploy a new instance from scratch.
petersirka
commented
1 year ago Closing. Again, thank you for the report.
Tested version: b80b09d (latest)
Steps to reproduce the vulnerability:
"><img src=x onerror=alert(document.domain)>as platform name and save.