Closed edoardottt closed 1 year ago
Hello [edoardottt], Thank you for your comment. The problem can be solved applying String.removeTags(); to remove al html tags from name in both forms that you comment before submit them.
example: form.name = form.name.removeTags();
Sure there are some of others solutions into Total.js.
don't rely on these naive solutions, there are specific libraries to sanitize input. you can use symbols in fields but simply they will be rendered as pure text and not html.
Hi @edoardottt. Thank you for the report. I can't reproduce this issue because I think that it's related to the previous issue with the user name. I found a bug in a helper (on FE) for generating name initials.
@petersirka exactly, if in the same instance you have injected the payload in user name this issue is not exploitable (because it's impossible to reach the settings). I had to deploy a new instance from scratch.
Closing. Again, thank you for the report.
Tested version: b80b09d (latest)
Steps to reproduce the vulnerability:
"><img src=x onerror=alert(document.domain)>
as platform name and save.