Details
-
Bug
-
Resolution: Fixed
-
None
-
Medium
-
Security: fixed PXSS issuesin grids in the frontend
-
Empty show more show less
Description
problem
With TRANSLATE-283 persistent XSS attacks are prevented by sanitizing the the user input on persisting it.
Still there is the problem, that in the UI, the input into a form is directly reflected into the grid - with the HTML - before it is overwritten from server after saving.
This still enables the possibility of creating self-XSS attacks - so only in the scope of the attacker it self. Still this might my a lower attack vector in combination with CSRF or similar.
solution
We should encode HTML in general in the default display fields and grids. If in such a field HTML is needed, the UI sanitation must be disabled and the data must be sanitized on input directly - the only case which comes in my mind ist the segment editing at the moment. And all grids which are displaying segment data.