Uploaded image for project: 'translate5'
  1. translate5
  2. TRANSLATE-5058

Improve segment content sanitation to prevent XSS attacks (finding H1.1)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • None
    • None
    • Editor general
    • Critical
    • Hide
      Remove workaround in ERP Module, see commit:
      [master d590319] Fix compatibility with different translate5 versions
      Show
      Remove workaround in ERP Module, see commit: [master d590319] Fix compatibility with different translate5 versions

      problem

      Segment editing allows XSS attacks. Ordinary attack vectors (img onload, script tags) are recognized and prevented already. 

      Additional vectors were found. See PDF in linked TS Issue. 

      solution

      Include a more sophisticated lib to filter out the described, other possible attack vectors. Allow only the needed HTML in segment content.

       

            tlauria Thomas Lauria
            tlauria Thomas Lauria
            Leon Kiz
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: