Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: JS injection issue in petition page #183

Closed
fallen opened this issue Dec 14, 2019 · 1 comment
Closed

Security: JS injection issue in petition page #183

fallen opened this issue Dec 14, 2019 · 1 comment
Assignees
@fallen
Labels
bug
Milestone
2.0

Comments

@fallen
Copy link
Member

fallen commented Dec 14, 2019

it is possible to inject JavaScript into the petition content in the petition page.
That could be used to steal the identification cookie for instance.

see : https://pytitiondemo.sionneau.net/petition/user/JeanMichelApathie/my-petition
@fallen fallen added the bug label Dec 14, 2019
@fallen fallen added this to the 2.0 milestone Dec 14, 2019
@fallen fallen changed the title Secutiry: JS injection issue in petition page Security: JS injection issue in petition page Dec 14, 2019
@fallen fallen mentioned this issue Dec 14, 2019
Open
fallen added a commit that referenced this issue Dec 20, 2019
@fallen
[#183] Fix possible XSS by sanitizing HTML content
96fcdc2
fallen added a commit that referenced this issue Dec 21, 2019
@fallen
[#183] Fix possible XSS by sanitizing HTML content
8130f74
@fallen fallen self-assigned this Jan 14, 2020
@fallen
Copy link
Member Author

fallen commented Jan 14, 2020

It seems no longer possible to inject trivially JS.
I will mark this as fixed for v2.0 but I will open another ticket for CSP (Content Security Policy) integration as security obviously needs to be improved as a process.

@fallen fallen closed this as completed Jan 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fallen fallen

Labels
bug
Projects
None yet
Milestone
2.0
Development

No branches or pull requests
1 participant
@fallen