Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS vulnerability in association fields #2343

Closed
Centine opened this issue Jun 23, 2015 · 1 comment
Closed

XSS vulnerability in association fields #2343

Centine opened this issue Jun 23, 2015 · 1 comment
Labels
confirmed bug

Comments

@Centine
Copy link

Centine commented Jun 23, 2015

It seems possible to inject Javascript code through associations. I have a model in Mongo with embedded documents. Below is an example with javascript in the fields.

{
"_id" : ObjectId("001"),
"name" : "\"><img src=x onerror=prompt(3)>",
"profiles" : [
    {
        "_id" : ObjectId("002"),
        "contact" : "\"><img src=x onerror=prompt(4)>",
        "name" : "\"><img src=x onerror=prompt(6)>",
        "notes" : "\"><img src=x onerror=prompt(5)>",
        "updated_at" : ISODate("2015-06-23T10:15:12.279Z")
    }
]
}

Upon viewing or editing the '001' document in rails_admin, a Javascript popup is shown with the value 6. It seems this value is used in several places, both under "show" and "edit" where it is used as tab title.
Simply removing the trailing .html_safe call in lib/rails_admin/config/fields/association.rb:pretty_value obviously breaks existing functionality.
@mshibuya
Copy link
Member

Thanks for reporting, fixed now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
confirmed bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mshibuya @Centine