HTML input is not sanitized #36
Labels
next release
fixed in develop branch and will be part of the next release
Comments
|
Where and how you can use any HTML? |
|
In the Device nickname field |
|
True, seems that the readme is still valid :)
|
|
is this issue mentioned only reflecting to client side java script or even to server side? |
|
I didn't check the server part, however I am able to display javascript
alerts or open popups on a friends pc using snapweb like this.
nanderer ***@***.***> schrieb am Mo., 10. Jan. 2022, 00:31:
… is this issue mentioned only reflecting to client side java script or even
to server side?
—
Reply to this email directly, view it on GitHub
<#36 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AMGSKD5BOJQHKT6NVHQENF3UVILGDANCNFSM5IMGDBEA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
The server doesn't interpret any JavaScript, it just serves files within the doc root directory |
badaix
added
the
next release
|
Fixed in v0.6.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You can use any HTML as and can even inject javascript by using
<img src="broken" onerror="your_js_code"></img>. If many users are using snapweb, this could be considered a security issue.The text was updated successfully, but these errors were encountered: