We couldn't load all Actvitity tabs. Refresh the page to try again.
If the problem persists, contact your Jira admin.
Uploaded image for project: 'translate5'
  1. translate5
  2. TRANSLATE-3960

Test PXSS in all input fields of the application

Details

    • Critical
    • Security: fixed remaining PXSS issues by adding frontend-sanitization

    Description

      problem

      TRANSLATE-283 was not solved completely. For some fields PXSS is prevented, for some not.

      In the re-test at least in the POST of language resources PXSS still exist.

      That can be easily be tested by adding some html like bold to the input and save it.

      If the html remains after reloading the grid, then the PXSS still is there and must be fixed / checked why. It should be solved in general by the Input sanitizer.

      The consequence is, that we have to test all fields manually!

      Also we should add that to the tests by modify existing tests and add there html to the input data - in the best case its stripped and in the test comparsion part there is no need to do any change at all.

       

      Attachments

        Issue Links

          Activity

            Loading...
            Uploaded image for project: 'translate5'
            1. translate5
            2. TRANSLATE-3960

            Test PXSS in all input fields of the application

            Details

              • Critical
              • Security: fixed remaining PXSS issues by adding frontend-sanitization

              Description

                problem

                TRANSLATE-283 was not solved completely. For some fields PXSS is prevented, for some not.

                In the re-test at least in the POST of language resources PXSS still exist.

                That can be easily be tested by adding some html like bold to the input and save it.

                If the html remains after reloading the grid, then the PXSS still is there and must be fixed / checked why. It should be solved in general by the Input sanitizer.

                The consequence is, that we have to test all fields manually!

                Also we should add that to the tests by modify existing tests and add there html to the input data - in the best case its stripped and in the test comparsion part there is no need to do any change at all.

                 

                Attachments

                  Issue Links

                    Activity

                      People

                        sanya@mittagqi.com Sanya Mikhliaiev
                        tlauria Thomas Lauria
                        Thomas Lauria
                        Votes:
                        0 Vote for this issue
                        Watchers:
                        2 Start watching this issue

                        Dates

                          Created:
                          Updated:
                          Resolved:

                          People

                            sanya@mittagqi.com Sanya Mikhliaiev
                            tlauria Thomas Lauria
                            Thomas Lauria
                            Votes:
                            0 Vote for this issue
                            Watchers:
                            2 Start watching this issue

                            Dates

                              Created:
                              Updated:
                              Resolved: