yawik / SimpleImport

Simple Job Import Module. Imports job openings into YAWIK
MIT License
0 stars 1 forks source link

Some values are not sanitized and leads to arbitrary code injection #34

Open mbo-s opened 5 years ago

mbo-s commented 5 years ago

Similar to https://github.com/cross-solution/YAWIK/issues/543

The values from the JSON will be imported without being sanitized. Affected fields are at least company and location. There can be other fields which produce the same errors, e.g. classification fields

Sample file

{
   "jobs": [
       "id": 1,
       "title": "<h1>Title</h1><script>alert('Title-XSS');</script>",
       "location": "<h1>Location</h1><script>alert('Location-XSS');</script>",
       "link": "http://www.example.com/job/1"
       }
   ]
}
TiSiE commented 4 years ago

For nearly every value in the JobDataInputFilter we can add a StripTags-Filter...

Only the filtering of the templateValues (JobDataInputFilter#L193-L230 cannot simply strip all tags, because at least in the html field HTML is explicitly allowed.