seltzer icon indicating copy to clipboard operation
seltzer copied to clipboard

Published 20 hours ago verified publisher icon elplatt

Persistent Cross-Site Scripting

Open willasaywhat opened this issue 7 years ago • 1 comments

If you set the first name (or any other field) of a user's record to include the application will alert 1 on any screen that username is shown. Likewise this can be used to redirect to another site and/or access cookies and other browser based activities. Output should be HTML encoded for any and all user supplied data.

willasaywhat avatar Feb 24 '18 23:02 willasaywhat

Good catch!

I think the solution here is to implement a check_plain() function similar to drupal's and make sure it gets called on all user submitted data. I'll do this if I get time but could definitely use some help.

elplatt avatar Mar 01 '18 22:03 elplatt