Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#2669 Fixed XSS vulnerabilities in graphical view components: #3042

Conversation

Limraj
Copy link
Collaborator

@Limraj Limraj commented Oct 29, 2024

  • Fixed Simple Point: Name, Point name override, Style attribute, Display controls, Background color;
  • Fixed Simple compound: Name, Background colour, Lead point, Sub point X;

- Fixed Simple Point: Name, Point name override, Style attribute, Display controls, Background color;
- Fixed Simple compound: Name, Background colour, Lead point, Sub point X;
@Limraj Limraj added this to the 2.8.0 milestone Oct 29, 2024
@Limraj Limraj requested a review from SoftQ as a code owner October 29, 2024 16:01
Copy link

github-actions bot commented Oct 29, 2024

Java Script Mocha Unit Test Results

268 tests  ±0   268 ✅ ±0   3s ⏱️ ±0s
 70 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit 0f52419. ± Comparison against base commit e9beecc.

♻️ This comment has been updated with latest results.

Copy link

github-actions bot commented Oct 29, 2024

Java JUnit Test Results

2 517 tests  ±0   2 517 ✅ ±0   42s ⏱️ -2s
  116 suites ±0       0 💤 ±0 
  116 files   ±0       0 ❌ ±0 

Results for commit 0f52419. ± Comparison against base commit e9beecc.

♻️ This comment has been updated with latest results.

@Limraj Limraj requested a review from Patrykb0802 October 30, 2024 14:54
Copy link
Contributor

@Patrykb0802 Patrykb0802 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed Simple Point:

Point value is showing like: <span>{value}</span> --> error

  • Name ---> ok, point selected with name of "><img src=x onerror=alert(document.location)> is not causing any issues

  • Point name override --> ok:
    image

  • Style attribute ---> seems to not being escaped:

Set value: "><img src=x onerror=alert(document.location)>

image

Display controls ---> ok, content is escaped:
image

Background color ---> seems to not being escaped:

Set value: "><img src=x onerror=alert(document.location)>

image

  • Fixed Simple compound:

  • Name --> ok:
    image

  • Background colour --> setting value with potential XSS and saving it --> no error --> saving graphical view and on read mode alert shows up one time:
    image

  • Lead point --> ok, no alerts when data point with such name is selected:

  • Sub point X --> ok, no alerts when data point with such name is selected:
    image

- Fixed: <span>value</span>;
- Fixed: Background color, Style attribute;
- Fixed value alphanumeric type: added properties: datapoint.type.alphanumeric.escaped default false;
@Limraj Limraj requested a review from Patrykb0802 October 30, 2024 21:30
Copy link
Contributor

@Patrykb0802 Patrykb0802 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simple point works fine now:
All fields are escaped
image

Simple compound works fine:
image

no pop ups/alerts are occuring

@Limraj Limraj merged commit 5e8686d into fix/#2116_XSS_Vulnerabilities_in_2_8 Nov 6, 2024
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants