You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The "symbol" field, which is often accessible to any user of a smart contract when minting a new ERC20 Token, can be exploited for malicious purposes. A user could inject malicious JavaScript code via the "symbol" field, which might then be displayed in a web application, leading to an XSS attack—assuming the web application lacks output sanitization and a properly configured CSP (Content Security Policy).
In the field of cybersecurity, the principle of "Defense in Depth" applies, which emphasizes implementing mitigation mechanisms at every level of a system or application. Given that the "symbol" field is meant to represent only an abbreviated name for the ERC20, it should not support an unlimited number of characters. Furthermore, careful consideration should be given to whether certain characters, such as < and >, should be permitted in this field.
The text was updated successfully, but these errors were encountered:
openzeppelin-contracts/contracts/token/ERC20/ERC20.sol
Line 47 in c3b3ae7
The "symbol" field, which is often accessible to any user of a smart contract when minting a new ERC20 Token, can be exploited for malicious purposes. A user could inject malicious JavaScript code via the "symbol" field, which might then be displayed in a web application, leading to an XSS attack—assuming the web application lacks output sanitization and a properly configured CSP (Content Security Policy).
In the field of cybersecurity, the principle of "Defense in Depth" applies, which emphasizes implementing mitigation mechanisms at every level of a system or application. Given that the "symbol" field is meant to represent only an abbreviated name for the ERC20, it should not support an unlimited number of characters. Furthermore, careful consideration should be given to whether certain characters, such as < and >, should be permitted in this field.
The text was updated successfully, but these errors were encountered: