Cross Site Scripting Vulnerability in Latest Release

Question

Cross Site Scripting Vulnerability in Latest Release

HatBoy opened this issue 6 years ago · 1 comments

Hi, I would like to report Cross Site Scripting vulnerability in latest release.
Description:
Cross-site scripting (XSS) vulnerability inquokka/admin/actions.py 90, 151 line, Because there is no filter username.
The vulnerability code is:
flash(Markup( f'Profile block for {user["username"]} ' f'Created at: ' f'<a href="{newlink}">{new.inserted_id}</a>' ))

Steps To Reproduce:
1.Create a user, username is xss payload, like: <script>alert(3)</script>
2.Select the username and Create user profile block, then trigger the payload.

author by jin.dong@dbappsecurity.com.cn

Answer 1 · 2019-06-07T14:16:34.000Z

this issue fixed on pr #678