[XPORTER-4185] Xporter is not sanitizing few of the HTML tags and rendering back the tags with out any encoding - Xblend Issue Tracker

Xporter

XML

Word

Printable

Details

Type: Bug
Status: Blocked
Priority: Medium
Resolution: Unresolved
Affects Version/s: Xporter DC V7.0
Fix Version/s: Continuous Delivery
Component/s: Security, Template Management
Labels:
None

Requirement Status:

UNCOVERED

Description

Description
Xporter is not sanitizing few of the HTML tags and rendering back the tags with out any encoding. This behaviour leading the application vulnerable to HTML Injection.

How to reproduce
1. Login to the application
2. Go to Profile page
3. Click on "Xporter Templates"
4. Create a new template with description having HTML tags (<a
href=https://google.com>clickhere</a>)
5. Observed the payload got executed successfully
6. Click on the hyperlink, it will redirect you the domain injected in payload

Version

7.0.0

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

image-2024-06-17-17-19-18-745.png
23 kB
17/Jun/24 5:19 PM

Activity

People

Assignee:: Paulo Pereira

Reporter:: João Silva

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 03/Apr/24 5:02 PM

Updated:: 4 days ago 2:55 PM

OKR_StartDate:: 12/Apr/24