github95 icon indicating copy to clipboard operation
github95 copied to clipboard

Published 20 hours ago verified publisher icon edwardpayton

potential XSS vulnerability

Open backwardspy opened this issue 11 months ago • 0 comments

hey, super cool project!

i think the file viewer is not escaping HTML tags in certain files. i noticed this when it embedded a form into a file i was looking at in one of my own projects, so i dug a little deeper to see if it could be an issue.

repro:

  1. open repo search
  2. navigate to swisskyrepo/PayloadsAllTheThings
  3. go to "files" tab
  4. view XSS Injection/README.md

this causes a number of the alerts in that file to be executed:

image

backwardspy avatar Apr 01 '24 10:04 backwardspy