Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

append is vulnerable of xss #2391

Merged
merged 1 commit into from
Apr 11, 2018
Merged

append is vulnerable of xss #2391

merged 1 commit into from
Apr 11, 2018

Conversation

honnix
Copy link
Member

@honnix honnix commented Apr 11, 2018

Description

Fix cross-site-scripting issue.

Motivation and Context

http://api.jquery.com/append/ points out that append can introduce
cross-site-scripting (XSS) vulnerabilities.

In this particular case, we have identified an XSS issue as following:

Spin up a Luigi instance and navigate to /static/visualiser/index.html#tab=graph&visType=svg&taskId=%3Cscript%3Ealert(1)%3C%2Fscript%3E.
You should see an alert box pop up displaying 1.

Use text instead of append should fix it.

Have you tested this? If so, how?

I tested it locally manually.

@honnix
append is vulnerable of xss
9a571c5 
http://api.jquery.com/append/ points out that `append` can introduce
cross-site-scripting (XSS) vulnerabilities.

In this particular case, we have identified an XSS issue as following:

Spin up a Luigi instance and navigate to /static/visualiser/index.html#tab=graph&visType=svg&taskId=%3Cscript%3Ealert(1)%3C%2Fscript%3E.
You should see an alert box pop up displaying 1.

Use `text` instead of `append` should fix it.
@honnix honnix requested a review from Tarrasch April 11, 2018 12:14
@Tarrasch Tarrasch merged commit 6950798 into master Apr 11, 2018
@Tarrasch
Copy link
Contributor

Great job!

@Tarrasch Tarrasch deleted the fix-xss branch April 11, 2018 18:34
@honnix
Copy link
Member Author

honnix commented Apr 11, 2018

As this is a security patch, it would better to get it out asap and somehow notify users.

@Tarrasch
Copy link
Contributor

@honnix, you could make a new release and send an email to the user group?

@honnix
Copy link
Member Author

honnix commented Apr 12, 2018

Yes we will do that.

This was referenced Jun 29, 2022
Closed
Closed
@honnix honnix mentioned this pull request Mar 13, 2023
Merged
@mdragilev mdragilev mentioned this pull request Jun 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tarrasch Tarrasch Awaiting requested review from Tarrasch

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@honnix @Tarrasch