Very vulnerable to a XSS #20
Comments
|
If you have a serious security vulnerability to report, I am reachable on discord in https://discord.gg/red as Flame#2941. This post does not have enough information for me to understand what is going on, so I urge you to send me a private message if you have a legitimate vulnerability to report. |
For example in the inputs an XSS can be executed |
|
Yeah but this does not go to any server or even get displayed to anyone else besides you when do that and you can use alert in dev tools so? |
|
I wouldn't call this a serious or exploitable vulnerability, however, a script injection attack is possible if a user pastes a malicious string into one of the fields. Of course, this would be as good as useless as AFAIK the site doesn't store anything valuable other than the values of the other fields, so there's nothing for an attacker to take. This is still an issue as entering certain values (eg if you want <something> to appear in one of your fields) will make them not show up as they are seen as HTML. (see screenshot)
The issue is that there is no input sanitisation performed in the updateEmbed function, for example here: discord-embed-sandbox/js/index.js Lines 44 to 45 in c684c6e If the input is first properly sanitised, for example with something like this, or ideally a proper sanitisation library, the issue would be resolved. |
|
Considering, afaik, you cannot add URL-parameters for an embed (ie EDIT: opened a PR that fixes this; see #25 |
There should be something to sanitize the code, people can run an XSS without problems..
The text was updated successfully, but these errors were encountered: