Bug: Description fields are vulnerable to XSS
Bug #23
Description fields are vulnerable to XSS
| Status: | Closed |
| Priority: |
Critical |
| Added by: |
|
| Assigned to: |
Unassigned
|
| Due date: | |
| Reported for: |
Steps to Reproduce
- Create an issue or project
- In the description field, insert the XSS of your choice
- Insert any other content into the description field
- See your inserted JS affect the page
Explanation
XSS In description boxes. This applies to both project descriptions and issue descriptions. I've been poking around a bit, and it seems like any field that supports markdown is vulnerable. Thankfully, other fields seem unaffected.
It doesn't seem like there's any sanitization at all.
This is a link to one of the issues I opened in a test project. A few XSS tests in that project, nothing malicious though: https://app.betahub.io/projects/190/issues/4 (this one's s***** but fun)
Also, check your console ;) <script>console.log("Hello There :)")</script>
Watchers
Screenshots
None
Video Clips
None
Log Files
None
Device
Device information is not visible to you
This project restricts device information visibility.Hi Scot, Excellent find, thank you! Will take care of it ASAP.
Hey Scot,
The issue has been fixed.
A little background: Betahub runs on Rails. Normally, every string rendered with the ERB engine is automatically escaped, so usually no additional work is required there. However, when we use Markdown, we had to allow HTML tags in those strings, which led us to forget about escaping raw user input before sending it to the Markdown parser.
We've fixed it by inserting an escaping function right before the Markdown parser.
Thanks again for reporting it!
No problem at all! I appreciate the additional context as well. Glad it got sorted quickly!