candy
candy copied to clipboard
Use a whitelist for XHTML-IM elements and attributes
The current method makes it trivial to execute scripts for any attacker, e.g. by sending <img src="something" onerror="alert('Hello XSS')"/>
in a room.
http://xmpp.org/extensions/xep-0071.html defines a subset of elements alongside their attributes, I highly recommend you to whitelist only those and to ignore any other element or attribute you come across.
Thank you for the report @linkmauve. Do you think you might be able to propose a fix?
Can you confirm if this was fixed? If so, a link to the commit and/or fixing version? Also if this is related to https://github.com/candy-chat/candy/issues/498?
No-one has yet proposed a fix.