Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minor XSS issue #30

Open
mclare opened this issue Jun 14, 2022 · 3 comments
Open

Minor XSS issue #30

mclare opened this issue Jun 14, 2022 · 3 comments

Comments

@mclare
Copy link

mclare commented Jun 14, 2022

The test for malicious use of script tags, feed2js.php lines 50 to 54 are insufficient.

Happy to share proof of concept as DM.

Can be mitigated at the server level. Can also be mitigated at the script level with new code from PHP7+ and/or a larger XSS library.

A PHP-level mitigation might impact project requirements and dependencies, so I wanted to file the issue before offering a PR.
@cogdog
Copy link
Owner

cogdog commented Jun 14, 2022

Thanks Matt. Those lines were written in a pretty naive period of time ;-)

Happy to take a PR. I do have a challenge in no longer having access to the server it is hosted on, and will try to reach out to the admin again (I was only able to find him on LinkedIn where I am NotIn)

Hi, nice to hear from ya...

@mclare
Copy link
Author

mclare commented Jun 15, 2022

Ok give me a bit to come up with a mitigation that'll pass scrutiny.

Pleasure to have a reason to reach out.

DM me on Twitter if you want the prof of concept link.

@mclare mclare mentioned this issue Jun 15, 2022
Closed
@mclare
Copy link
Author

mclare commented Jun 15, 2022

PR #31 created.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cogdog @mclare