Details

      Description

      XSS in System Settings

       Steps to reproduce:

      1. Go to Control Panel -> Configuration -> System Settings -> Forms -> Form Navigator Configuration
      2. Add a new entry with Form Navigator ID equal to the following script and Form Navigator Entry Keys "key"
        <script>alert(document.cookie);</script>

       Actual behavior: A popup alert appears with the site cookies on every refresh of the Form Navigator Configuration display page.
       Expected behavior: The new entry should be escaped, and alert should not be shown.

      This behavior can be replicated with any System Settings that has a similar search container.

        Attachments

          Activity

            People

            • Assignee:
              brian.chan Brian Chan
              Reporter:
              dylan.rebelak Dylan Rebelak
              Participants of an Issue:
              Recent user:
              Michael Saechang
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                1 year, 16 weeks, 4 days ago

                Packages

                Version Package
                7.1.X
                Master