Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS and HTML Injection in title field and stream URL field #1456

Closed
onlineaccount opened this issue Jan 11, 2017 · 3 comments
Closed

XSS and HTML Injection in title field and stream URL field #1456

onlineaccount opened this issue Jan 11, 2017 · 3 comments
Labels
bug dashboard PR-welcome

Comments

@onlineaccount
Copy link

imagen

When you click in Add Stream button the injection will be executed:
imagen

You have to click in the injected title or url field to view the JavaSript alert.
@mattrjacobs
Copy link
Contributor

Thanks for the report @onlineaccount . Would you or anyone else be interested in submitting a PR to fix this?

@jack17529
Copy link

@mattrjacobs if PR-welcome means one can submit a PR ?
I would love to submit one!

@mattrjacobs
Copy link
Contributor

@jack17529 Yes, absolutely. I'm happy to review whenever you're ready

mattrjacobs added a commit that referenced this issue Jun 14, 2017
@mattrjacobs
Merge pull request #1606 from atoulme/issue_1456
1460419 
Escape user entered input to avoid HTML injection. This fixes #1456
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug dashboard PR-welcome
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mattrjacobs @jack17529 @onlineaccount