Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

HTML content injection in developer signup email

See original GitHub issue

Bug description

The application is rendering the user-controlled tags in an unsafe manner which may allow an attacker to inject malicious HTML code.

Reproduction steps

Go to ‘https://developer.bilinfo.net/signup’ (any site would do)
Signup. At the email section enter the victims email and at the name section enter the HTML script mentioned below :- {{ <img src=http://tinypic.com/i/tp-logo.jpg>}} . Submit the form
Navigate to the corresponding email and you’ll notice that the Name which was an HTML script gets rendered into the mentioned Email.
See error

Expected behavior

User input should be HTML-encoded at any point where it is copied into application responses. All HTML meta-characters, including < > " ’ and =, should be replaced with the corresponding HTML entities (< > etc). Application should filter meta characters or HTML tags provided from user input.

Is your portal managed or self-hosted?

Managed

Issue Analytics

State:
Created 3 years ago
Comments:13 (4 by maintainers)

Top GitHub Comments

1reaction

mikebudzynskicommented, Oct 19, 2020

It will be rolled out with the main API Management service release - you can monitor the link from my previous comment for release notes. We’re still preparing for the roll-out.

1reaction

mikebudzynskicommented, Sep 29, 2020

@CosminLazar This change will be included in the next backend release. You can monitor https://aka.ms/apim/releases for release notes.