-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unjust XSS notice in the backend editor #2250
Comments
Yup, data URLs are often used in XSS attacks: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet They can be used in a variety of different ways, so it's not easy to write a regex to catch only the problematic methods, so the regex simply searches for However, I could add an option to configure the protocols: https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Security.php#L132 For now, this is just a warning if you are a super admin. |
Grav found potential XSS issues in %s We receive that in the backend but what is %s?? |
We've got the same warning as @lisandi. |
Fixed %s for the next version. |
Warning:
on:
but not on:
It seems that
data:
is seen as XSS potential.The text was updated successfully, but these errors were encountered: