Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding input validation before saving to the db #105

Merged
merged 6 commits into from
Feb 10, 2024
Merged

Adding input validation before saving to the db #105

merged 6 commits into from
Feb 10, 2024

Conversation

lslschr
Copy link
Contributor

@lslschr lslschr commented Feb 8, 2024

Adding input validation

@lslschr lslschr changed the title Main Adding input validation before saving to the db Feb 8, 2024
ellite
ellite requested changes Feb 8, 2024
View reviewed changes
Copy link
Owner

@ellite ellite left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you.
I left some comments.

endpoints/categories/category.php Outdated Show resolved Hide resolved
endpoints/currency/currency.php Outdated Show resolved Hide resolved
endpoints/household/household.php Outdated Show resolved Hide resolved
@lslschr
Copy link
Contributor Author

lslschr commented Feb 8, 2024

Hi
Thank you very much for the feedback.

Just removed the unnecessary validations.

@lslschr lslschr requested a review from ellite February 8, 2024 21:33
ellite
ellite approved these changes Feb 9, 2024
View reviewed changes
Copy link
Owner

@ellite ellite left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you.

@ellite ellite merged commit 048bf2d into ellite:main Feb 10, 2024
@snyssen snyssen mentioned this pull request Feb 10, 2024
Merged
@lslschr
Copy link
Contributor Author

lslschr commented Feb 13, 2024

Just wanted to mention the reason for this PR:
The application wallos in the version 0.9 is vulnerable to Cross-Site Scripting (XSS) affecting all text-based input fields across the application, where input validation is not properly implemented. To exploit this vulnerability, the attacker can insert the following payload into a text-based input field: <script>alert("xss")</script>. Once saved, refreshing the browser will trigger the execution of this JavaScript code in the user's browser. Similarly, the script will execute when a different user accesses the application and encounters the injected payload.

So the vulnerability is a XSS vulnerability at all text-based input fields and the root cause for this vulnerability is the missing input validation or the incorrect implementation of these. This input validation was created as part of this PR and the vulnerability was therefore closed.

The XSS vulnerability affects the security of users who use the application. Other users will experience the same vulnerability when using the application. XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ellite ellite ellite approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@lslschr @ellite