LearnNewsExamplesServices
Frontmatter
id4482
titleCross Site Scripting (XSS) vulnerability
stateClosed
labels
bug
assignees[]
createdAtMay 29, 2023, 6:43 PM
updatedAtMay 31, 2023, 6:14 PM
githubUrlhttps://github.com/neomjs/neo/issues/4482
authorGhost
commentsCount0
parentIssuenull
subIssues[]
subIssuesCompleted0
subIssuesTotal0
blockedBy[]
blocking[]
closedAtMay 31, 2023, 6:14 PM

Cross Site Scripting (XSS) vulnerability

Closed v8.1.0 bug
Ghost
Ghost commented on May 29, 2023, 6:43 PM

Describe the bug Neo applications rendering unsanitized user inputs (e.g. forms) are vulnerable to XSS attacks.

To Reproduce Steps to reproduce the behavior:

  1. Go to example Form application
  2. Click on Firstname in Page 1
  3. Enter: "><div style='color: red;'>PWNED</div><input value="
  4. Navigate to any other page
  5. Return back to Page 1

Another example:

  1. Go to example Form application
  2. Navigate to TextAreas page
  3. Click Page 6 Field 1
  4. Clear the text and enter: </textarea><div style='color: red;'>PWNED</div><textarea>
  5. Navigate to any other page
  6. Go back to TextAreas page

Expected behavior User input should be escaped

Ghost added the bug label on May 29, 2023, 6:43 PM
Ghost cross-referenced by PR #4483 on May 29, 2023, 6:53 PM
tobiu closed this issue on May 31, 2023, 6:14 PM