lndg icon indicating copy to clipboard operation
lndg copied to clipboard
verified publisher icon cryptosharks131

Code Injection in Peer Alias

Open schulzemic opened this issue 1 year ago • 3 comments

I have a channel with a node that has the following alias: <script>alert(\"LDK\");</script>

On the lndg overview page, the alias field just remains empty. But when I click on the channel ID in the list of active channels, an alert pops up.

schulzemic avatar Jan 06 '24 11:01 schulzemic

I accidentally created a duplicate: https://github.com/cryptosharks131/lndg/issues/394 Anyway mine is better explained with images.

Almost 9 months after this, we are still waiting for a patch. This software seems to be adandonware at this point.

JaviLib avatar Sep 02 '24 17:09 JaviLib

Almost 9 months after this, we are still waiting for a patch. This software seems to be adandonware at this point.

Have you submitted a pull request with a fix that wasn't merged? No?

SkanderHelali avatar Sep 03 '24 06:09 SkanderHelali

This should now be resolved in the latest v1.9.0 branch. Can you verify if you are still able to replicate the issue with this branch?

cryptosharks131 avatar Sep 07 '24 14:09 cryptosharks131

It is not solved:

imagen

LNDg v1.9.0

JaviLib avatar Sep 21 '24 10:09 JaviLib

For now, focused on the alert that is generated from the example script execution but not that it is still displayed properly.

Do you also still see the alert being generated?

cryptosharks131 avatar Sep 21 '24 12:09 cryptosharks131

No, the alert in the channel is not happening anymore.

JaviLib avatar Sep 21 '24 13:09 JaviLib