Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Studio] Studio interprets strings as HTML #1848

Closed
camomiy opened this issue Dec 2, 2024 · 1 comment · Fixed by #1849
Closed

[Studio] Studio interprets strings as HTML #1848

camomiy opened this issue Dec 2, 2024 · 1 comment · Fixed by #1849
Assignees
@ExtReMLapin
Labels
bug Something isn't working security
Milestone
24.11.2

Comments

@camomiy
Copy link

camomiy commented Dec 2, 2024

Hello,

Studio interprets the strings in nodes as HTML which can lead to malicious uses :

MATCH (n:CHUNK) where ID(n) = "#13:6149" set n.text = "<img src=\"https://i1.sndcdn.com/artworks-000307453326-9ubibj-t500x500.jpg\">CHEEKI BREEKI IV DAMKE</img> <script>window.alert(\"CHEEKI BREEKI IV DAMKE\");</script>"
return n

CHEEKI BREEKI IV DAMKE

image
@ExtReMLapin
Copy link
Contributor

anu cheeki breeki iv damke

@ExtReMLapin ExtReMLapin mentioned this issue Dec 2, 2024
Merged
2 tasks
@lvca lvca closed this as completed in #1849 Dec 2, 2024
@lvca lvca added bug Something isn't working security labels Dec 2, 2024
@lvca lvca added this to the 24.11.2 milestone Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ExtReMLapin ExtReMLapin

Labels
bug Something isn't working security
Projects
None yet
Milestone
24.11.2
Development

Successfully merging a pull request may close this issue.

Fixed html injection based on node content ExtReMLapin/arcadedb
3 participants
@lvca @ExtReMLapin @camomiy