A XSS bug that can execute code（用户恶意修改 评论 的ua可触发XSS执行代码）

[FFreestanding]

如果您想报告错误，请提供以下信息 If you want to report a bug, please provide the following information:

• [x] 可复现问题的步骤 The steps to reproduce.
• [x] 可复现问题的网页地址 A minimal demo of the problem via https://jsfiddle.net or http://codepen.io/pen if possible.
• [x] 受影响的Valine版本、操作系统，以及浏览器信息 Which versions of Valine, and which browser / OS are affected by this issue?

[FFreestanding]

可复现问题的步骤 The steps to reproduce.

The latest version of valine is 1.4.18

First select a page to test : https://valine.js.org/hexo.html

Capture the packet then modify the post of the packet and sent

below payload will make the comments look normal and allows code execution，Google Chrome and Firefox will all be attacked.

It work

The alarm information is related to other failed test codes. Please ignore it

可复现问题的网页地址 A minimal demo

https://valine.js.org/ https://valine.js.org/hexo.html http://luckyzmj.cn/posts/1d6f1579.html

maybe all websites which is using the project will be influenced

受影响的Valine版本、操作系统，以及浏览器信息 Which versions of Valine, and which browser / OS are affected by this issue?

Valine1.4.18 win10 Google Chrome and Firefox

[xCss]

已修复，感谢对Valine的支持~ ❤️

[xCss]

收到，感谢反馈，将在下个版本修复

在 2022年6月21日，20:45，young-xz @.***> 写道：

 可复现问题的步骤 The steps to reproduce.

The latest version of valine is 1.4.18

First select a page to test : https://valine.js.org/hexo.html

Capture the packet then modify the post of the packet and sent

It work

The alarm information is related to other failed test codes. Please ignore it

可复现问题的网页地址 A minimal demo

https://valine.js.org/ https://valine.js.org/hexo.html maybe other website which is using the project

受影响的Valine版本、操作系统，以及浏览器信息 Which versions of Valine, and which browser / OS are affected by this issue?

Valine1.4.18 win10 Google Chrome

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.