[XRAY-4471] XSS, In the Automated Steps Library page, in case of a syntax error, it is possible to execute JS text - Xblend Issue Tracker

Xporter

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: R3.4.3
Fix Version/s: 4.2.5
Component/s: Core, Security
Labels:
- security_vulnerability_medium

Sprint:
XRAY 2020 Sprint 10
Requirement Status:
OK
- 1

Description

In the Automated Steps Library page, in case of a syntax error, it is possible to execute JS text.

Steps to Reproduce:
1) Create a new Cucumber Test
2) Add a new Step: When I do stuff
3) Go to the Automated Steps Library
4) Edit the step created in 2) and replace with the following text:

When I do stuff
<script>alert(1);</script>

5) Click "Save"

Result: a popup will be displayed will appear
Expected: the HTML tags should not be processed

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Screenshot at Sep 18 17-50-25.png
149 kB
19/Sep/19 10:55 AM
Screenshot at Sep 18 17-49-24.png
130 kB
19/Sep/19 10:55 AM

Activity

People

Assignee:: Paulo Alves

Reporter:: Hugo Braz [X] (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 19/Sep/19 10:56 AM

Updated:: 18/Feb/21 5:14 PM

Resolved:: 18/Feb/21 4:54 PM

Time Tracking

Estimated:

Remaining:

Logged:

25m