-
-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Very vulnerable to a XSS #20
Comments
If you have a serious security vulnerability to report, I am reachable on discord in https://discord.gg/red as Flame#2941. This post does not have enough information for me to understand what is going on, so I urge you to send me a private message if you have a legitimate vulnerability to report. |
|
Yeah but this does not go to any server or even get displayed to anyone else besides you when do that and you can use alert in dev tools so? |
I wouldn't call this a serious or exploitable vulnerability, however, a script injection attack is possible if a user pastes a malicious string into one of the fields. Of course, this would be as good as useless as AFAIK the site doesn't store anything valuable other than the values of the other fields, so there's nothing for an attacker to take. This is still an issue as entering certain values (eg if you want <something> to appear in one of your fields) will make them not show up as they are seen as HTML. (see screenshot) The issue is that there is no input sanitisation performed in the updateEmbed function, for example here: discord-embed-sandbox/js/index.js Lines 44 to 45 in c684c6e
If the input is first properly sanitised, for example with something like this, or ideally a proper sanitisation library, the issue would be resolved. |
Considering, afaik, you cannot add URL-parameters for an embed (ie EDIT: opened a PR that fixes this; see #25 |
There should be something to sanitize the code, people can run an XSS without problems..
The text was updated successfully, but these errors were encountered: