New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remote code execution is possible #127

Closed

sjoerddebruin opened this issue Nov 28, 2017 · 1 comment

Assignees

Labels

important

Member

sjoerddebruin commented Nov 28, 2017

Book titles like https://tools.wmflabs.org/sqid/#/view?id=Q43981055 show some Javascript popup, this shouldn't be possible and is quite some security issue.

mmarx self-assigned this

mkroetzsch added the important label

Member

mkroetzsch commented Nov 28, 2017 •

edited

Loading

Note that Q4115189 can best be used to test this. I already inserted some HTML entities there and we can see a lack of escaping. The current behaviour suggests that a simple escaping alon ghte lines of https://stackoverflow.com/questions/6234773/can-i-escape-html-special-chars-in-javascript when applied ot all strings before output would work correctly.

mmarx added a commit that referenced this issue


          Correctly escape HTML in labels & values

57e9e3b

Fixes #127.

mmarx added a commit that referenced this issue


          Correctly escape HTML in labels & values

e90e0ef

Fixes #127.

mmarx added a commit that referenced this issue


          Correctly escape HTML in labels & values

22617c2

Fixes #127.

mmarx closed this as completed in

f1f6820

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment