[Zappl] - XSS in search bar
Expected behavior
XSS filter evasion should cover each edge case. All possible XSS code should be rejected.
Actual behavior
XSS filter evasion is not working for input text method, DIV expression method, and WAF ByPass Strings for XSS.
How to reproduce
Here are all the urls you can test to reflect the XSS bug:
https://gist.github.com/jayserdny/bf23a88197aabe2cbc5bae96fc31a198
Environment
- Browser: Google Chrome Version 64.0.3282.186 (Official Build) (64-bit)
- Operating system: macOS High Sierra
Some screenshots of the bug
Posted on Utopian.io - Rewarding Open Source Contributors
Hey @jaysermendez I am @utopian-io. I have just upvoted you!
Achievements
Suggestions
Get Noticed!
Community-Driven Witness!
I am the first and only Steem Community-Driven Witness. Participate on Discord. Lets GROW TOGETHER!
Up-vote this comment to grow my power and help Open Source contributions like this one. Want to chat? Join me on Discord https://discord.gg/Pc8HG9x
Thank you for the contribution. It has been approved.
You can contact us on Discord.
[utopian-moderator]
I agree with you. I can easily inject code similar to the UI and redirect the data to my server and share the prettified URL with someone else hehehe
great