engineercms icon indicating copy to clipboard operation
engineercms copied to clipboard
verified publisher icon 3xxx

"Nickname" has a stored XSS vulnerability

Open xfiftyone opened this issue 4 years ago • 2 comments

Description

There is no escaping in the nickname field on the user list page,When viewing this page, the JavaScript code will be executed in the user's browser.

Impact Version

v1.03

Steps to Reproduce

1、Visit the profile page after logging in,http://xxx/user 2、Click on the nickname and insert the javascript code,test<img/src=x onerror=alert(1)> 3、Click save, the payload has been executed image The original request is as follows:

POST /admin/user/updateuser
name=Nickname&value=test%3Cimg%2Fsrc%3Dx+onerror%3Dalert(1)%3E&pk=300

xfiftyone avatar Jul 06 '21 14:07 xfiftyone

thank you,I will fix it.

3xxx avatar Jul 09 '21 14:07 3xxx 

		value := c.Input().Get("value")
		value = template.HTMLEscapeString(value) //过滤xss攻击
                err = m.UpdateUser(id, name, value)

3xxx avatar Jul 09 '21 15:07 3xxx