Bug: Description fields are vulnerable to XSS
Bug #23
Description fields are vulnerable to XSS
| Status: | Closed |
| Priority: | Critical |
| Added by: |
|
| Assigned to: | |
| Due date: | |
| Reported for: | 0.6.0 |
Steps to Reproduce
- Create an issue or project
- In the description field, insert the XSS of your choice
- Insert any other content into the description field
- See your inserted JS affect the page
Explanation
XSS In description boxes. This applies to both project descriptions and issue descriptions. I've been poking around a bit, and it seems like any field that supports markdown is vulnerable. Thankfully, other fields seem unaffected.
It doesn't seem like there's any sanitization at all.
This is a link to one of the issues I opened in a test project. A few XSS tests in that project, nothing malicious though:
https://app.betahub.io/projects/190/issues/4 (this one's stupid but fun)
Also, check your console ;)
<script>console.log("Hello There :)")</script>
Screenshots
None
Video Clips
None
Log Files
None
Device
Hi Scot,
Excellent find, thank you! Will take care of it ASAP.
Hey Scot,
The issue has been fixed.
A little background:
Betahub runs on Rails. Normally, every string rendered with the ERB engine is automatically escaped, so usually no additional work is required there. However, when we use Markdown, we had to allow HTML tags in those strings, which led us to forget about escaping raw user input before sending it to the Markdown parser.
We've fixed it by inserting an escaping function right before the Markdown parser.
Thanks again for reporting it!
No problem at all! I appreciate the additional context as well.
Glad it got sorted quickly!
You must be a member of this project to comment.