YCS icon indicating copy to clipboard operation
YCS copied to clipboard

Published 20 hours ago verified publisher icon sonigy

XSS

Open RealPortalPlayer opened this issue 2 years ago • 2 comments

This doesn't properly encode HTML, which can enable XSS. There seems to be some sort of mitigation, since the classic <script>alert(1)</script> doesn't work. Unfortunately, it seems like this mitigation is half-baked. Something like <img src=1 onerror=alert(1)> does work. This can be very dangerous, and should be patched as soon as possible.

RealPortalPlayer avatar Oct 14 '22 06:10 RealPortalPlayer

Is this project dead? I'd prefer if this was dealt with as soon as possible. At least acknowledge this issue exists.

RealPortalPlayer avatar Nov 15 '22 21:11 RealPortalPlayer

I'm just noticing that if someone puts HTML tags in the comment it's missing in the search results

DovieW avatar Jan 08 '23 17:01 DovieW