Several vectors for JS injection #579
Labels
No labels
backend
critical
defect
duplicate
enhancement
fixed
frontend
general
invalid
major
minor
normal
oxjs
pandora_client
python-ox
task
trivial
wontfix
worksforme
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: 0x2620/pandora#579
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
JS injection via username: Greetings from user
<script>alert('0wned!')</script>
...Strangely, this user does not show up in the users list.
But by adding annotations, the user can make alerts pop up.
List names (entered in folder) and list descriptions (entered in dialog) execute JS, too.
In Manage Places/Events, if you enter as name or alternative name, the map/calendar will execute this as JS.
Saving seems to be fixed, so dialogs will go after reload.
JS injection via usernameto Several vectors for JS injectionAnother one is:
pandora.api.addAnnotation({item: 'A', layer: 'descriptions', 'in': 23, out: '42', value: '<script>alert("description")</script>'}, function(r) { Ox.print(r.data); })
By whatever means we fix this, the goal should be that the surface of the fix, i.e. the amount of reasoning needed to verify it's correct, is as small as possible.