[XPORTER-4185] Xporter is not sanitizing few of the HTML tags and rendering back the tags with out any encoding - Xblend Issue Tracker

Xporter

XML

Word

Printable

Details

Type: Bug
Status: Open
Priority: Medium
Resolution: Unresolved
Affects Version/s: Xporter DC V7.0
Fix Version/s: Continuous Delivery
Component/s: Xporter Engine
Labels:
None

Requirement Status:

UNCOVERED

Description

Description
Xporter is not sanitizing few of the HTML tags and rendering back the tags with out any encoding. This behaviour leading the application vulnerable to HTML Injection.

How to reproduce
1. Login to the application
2. Go to Profile page
3. Click on "Xporter Templates"
4. Create a new template with description having HTML tags (<a
href=https://google.com>clickhere</a>)
5. Observed the payload got executed successfully
6. Click on the hyperlink, it will redirect you the domain injected in payload

Version

7.0.0

Attachments

Activity

People

Assignee:: Rui Rodrigues

Reporter:: João Silva

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 03/Apr/24 5:02 PM

Updated:: 12/Apr/24 7:05 PM

OKR_StartDate:: 12/Apr/24