Closed Bug 741335 Opened 13 years ago Closed 13 years ago

BetaFarm: Edit project is vulnerable to XSS

Categories

(Websites :: mozillalabs.com, defect)

Product:
Websites
Component:
mozillalabs.com
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: mgoodwin, Assigned: jfong)

References

Details

(Keywords: wsec-xss, Whiteboard: [infrasec:xss][ws:high])

Issue: Betafarm is vulnerable to XSS on the edit project feature. I'm unsure of the impact of this as I don't know how 'trusted' project owners are. Steps to reproduce: 1) log in to betafarm as a project owner 2) Edit the long description to include <script>alert(123)</script> 3) observe the alert pop up on submitting the form / viewing the project as another user Remediation: Ensure any output is adequately encoded - see secure coding guidelines at https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Preventing_XSS If HTML is required, consider: 1) parsing the document (e.g. with BeautifulSoup) 2) Removing all attributes and elements not in a whitelist
There may be other issues like this elsewhere in the site; please ensure other user-supplied input is output encoded prior to rendering. Please use this document for guidance https://mana.mozilla.org/wiki/display/INFRASEC/XSS+and+Jinja2. Also, I've been working on some Jinja2 filters that may help you: https://github.com/mozmark/xssfilter
Assignee: nobody → jfong
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Verified that no script errors pop up and script tags are ignored upon input.
Status: RESOLVED → VERIFIED
Component: Betafarm → mozillalabs.com
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
You need to log in before you can comment on or make changes to this bug.