Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Cross-Site Scripting (XSS) in Automation Tags
See original GitHub issueVersion: Papermerge 2.0rc35
Steps to reproduce
Log into Papermerge and visit the “automates” function located at /admin/automate/add/. Insert the following payload into the “Tags” formular and confirm the new tag by inserting a single comma.
<script>alert('XSS');</script>
The JavaScript payload gets instantly executed by the browser, which leads to reflected XSS. If the automation with an XSS payload is saved, the issue will evolve to stored XSS.
If the saved automation is browsed again, e.g. via the following URL path /admin/automate/1, the stored JS payload will be executed again.
Steps to mitigate this issue
As previously, it is recommended to escape all untrusted user input before reflecting or storing the data.
Issue Analytics
- State:
- Created 3 years ago
- Comments:7 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@l4rm4nd, danke! As with other high priority bugs (related specifically to 2.0), I will take care of them over the weekend.
Seems fixed. Cannot reproduce the XSS vulnerability.