Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Escape category images to avoid backend XSS #639

Merged
merged 1 commit into from
Sep 28, 2019

Conversation

hannob
Copy link
Contributor

@hannob hannob commented Sep 17, 2019

It is possible to cause a backend XSS via the category icons.

PoC:

  1. Create a category with something like "> in the "Category Image" field.
  2. Start a blog post, select this category and click on Preview.

I'm aware that s9y isn't really protected against backend XSS due to the blogposts itself being not XSS safe, but still I think output should be properly escaped.

This is a fix within the templates, so naturally other templates won't automatically get that fix.

@th-h th-h added the backport needed Fix that has to be backported to older release branches. label Sep 17, 2019
@onli onli merged commit fa8e77c into s9y:master Sep 28, 2019
onli added a commit that referenced this pull request Sep 28, 2019
@onli
Copy link
Member

onli commented Sep 28, 2019

Does this really need a backport currently, @th-h ?

@onli
Copy link
Member

onli commented Sep 28, 2019

And thank you, @hannob !

robelix pushed a commit to robelix/Serendipity that referenced this pull request Mar 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport needed Fix that has to be backported to older release branches.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants