Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Table editor allows to execute javascript in FF #273

Closed
akarnachuk opened this issue May 23, 2017 · 1 comment
Closed

Table editor allows to execute javascript in FF #273

akarnachuk opened this issue May 23, 2017 · 1 comment
Labels
issue: bug

Comments

@akarnachuk
Copy link

Bug report

Table editor allows to execute javascript code. When I paste the following code

</textarea><svg/onload="alert('Qasuar')">

into table editor and press enter I'm getting alert.
(see https://tradeshift.atlassian.net/browse/HACK-273)

Tradeshift UI version affected

v8.0.2

Expected Behavior

No javascript should be executed

Actual Behavior

Javascript is allowed to be executed

Steps to reproduce

This was reproduced on Firefox 53.0.2 (64-bit)
and not reproduces in Chrome.

Screenshots (optional)

image
@wiredearp
Copy link
Contributor

🍺 Good find! Thanks for reporting.

wiredearp added a commit that referenced this issue Jun 2, 2017
@wiredearp
Fixes #273 - catastrophic script injection
a7b7369
wiredearp added a commit that referenced this issue Jun 8, 2017
@wiredearp
Fixes #273 - catastrophic script injection
f3537c9
@wiredearp wiredearp mentioned this issue Jun 8, 2017
Merged
wiredearp added a commit that referenced this issue Jun 9, 2017
@wiredearp
Fixes #273 - catastrophic script injection
0924fa0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wiredearp @akarnachuk