corbz/PYRSS-Website
corbz/PYRSS-Website
1
0
Fork 0
Code Issues 21 Pull Requests Actions Releases 1 Wiki Activity

Cross-site Scripting "Attack" #50

New Issue
Closed
opened 2024-08-22 18:03:10 +00:00 by corbz · 2 comments
corbz commented 2024-08-22 18:03:10 +00:00
Owner
Copy Link

The user can submit text which wont be escaped when rendered, although as it stands, it shouldn't affect other users due to how SavedGuilds are created on a per-user basis.

image

Replicate:

  1. Add new server popup
  2. Inspect on the <select> elem
  3. Edit the text inside the <option> elem to some malicious code
The user can submit text which wont be escaped when rendered, although as it stands, it shouldn't affect other users due to how `SavedGuild`s are created on a per-user basis. <img width="983" alt="image" src="attachments/c6e86cd8-6fbe-449b-99a8-f3166b3b1449"> Replicate: 1. Add new server popup 2. Inspect on the `<select>` elem 3. Edit the text inside the `<option>` elem to some malicious code
image.png
87 KiB
corbz added the
bug
 label 2024-08-22 18:03:10 +00:00
corbz self-assigned this 2024-08-22 18:03:10 +00:00
corbz added this to the PYRSS project 2024-08-22 18:03:10 +00:00
corbz commented 2024-08-31 14:06:17 +00:00
Author
Owner
Copy Link

Given the current way this app works, this would only affect the own user, and is not therefor a proper xss attack, however the future scope of the project is to make these saved guilds shared objects for many users, meaning this will be an issue in the future if not fixed now.

Given the current way this app works, this would only affect the own user, and is not therefor a proper xss attack, however the future scope of the project is to make these saved guilds shared objects for many users, meaning this will be an issue in the future if not fixed now.
corbz commented 2024-09-12 19:19:32 +00:00
Author
Owner
Copy Link

solved in 0.3.4

solved in 0.3.4
corbz closed this issue 2024-09-12 19:19:32 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something is not working
duplicate
This issue or pull request already exists
enhancement
New feature
help wanted
Need some help
invalid
Something is wrong
question
More information is needed
wontfix
This won't be fixed
No Label
bug
Milestone
No items
No Milestone
Projects
Clear projects
No project PYRSS
Assignees
Clear assignees
corbz
No Assignees corbz
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: corbz/PYRSS-Website#50
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?