处理后台各个输入框的 XSS 安全问题 #1557

ruibaby · 2021-12-02T14:09:30Z

What is version of Halo has the issue?

1.4.13

What database are you using?

H2

What is your deployment method?

Fat Jar

Your site address.

No response

What happened?

虽然目前后台仅仅只能由一个管理员来操作，但某些内容输入框能够插入 JavaScript 代码依旧是不妥的，比如文章标题、分类创建等。希望能够对这些地方做处理。

Relevant log output

No response

Additional information

No response

LawssssCat · 2022-04-11T13:33:59Z

代码直接就在后台执行了，这个bug挺严重的。请问哪个版本修复了？

ruibaby · 2022-04-11T13:37:46Z

代码直接就在后台执行了，这个bug挺严重的。请问哪个版本修复了？

目前访客仅能在评论部分提交内容，这部分是做了处理的。后台目前属于单管理员，我们认为在当前这并不属于严重的问题。

ruibaby added the kind/bug Categorizes issue or PR as related to a bug. label Dec 2, 2021

ruibaby added this to the 1.5.x milestone Dec 2, 2021

ruibaby added kind/feature Categorizes issue or PR as related to a new feature. vulnerability Vulnerability and removed kind/bug Categorizes issue or PR as related to a bug. labels Dec 6, 2021

guqing modified the milestones: 1.5.x, 2.0 Feb 18, 2022

Ljfanny mentioned this issue Apr 23, 2022

feat: Process XSS security problem of each input box in the background #1883

Closed

JohnNiang modified the milestones: 2.0.0, 2.0.x Dec 1, 2022

JohnNiang modified the milestones: 2.0.x, Backlog Dec 16, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

处理后台各个输入框的 XSS 安全问题 #1557

处理后台各个输入框的 XSS 安全问题 #1557

ruibaby commented Dec 2, 2021

LawssssCat commented Apr 11, 2022

ruibaby commented Apr 11, 2022

处理后台各个输入框的 XSS 安全问题 #1557

处理后台各个输入框的 XSS 安全问题 #1557

Comments

ruibaby commented Dec 2, 2021

What is version of Halo has the issue?

What database are you using?

What is your deployment method?

Your site address.

What happened?

Relevant log output

Additional information

LawssssCat commented Apr 11, 2022

ruibaby commented Apr 11, 2022