Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS in the tag name #13168

Closed
3 tasks done
claunch3r opened this issue Nov 16, 2024 · 1 comment
Closed
3 tasks done

XSS in the tag name #13168

claunch3r opened this issue Nov 16, 2024 · 1 comment
Assignees
@Vanessa219
Labels
Bug

Comments

@claunch3r
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Can the issue be reproduced with the default theme (daylight/midnight)?

  • I was able to reproduce the issue with the default theme

Could the issue be due to extensions?

  • I've ruled out the possibility that the extension is causing the problem.

Describe the problem

I found an XSS vulnerability in the tag name.

Steps to reproduce:

  1. Create a tag containing an XSS payload: <img src =q onerror=prompt(8)>
  2. As a result, an XSS vulnerability is exploited

Screenshots:
1
2

Expected result

Screenshot or screen recording presentation

Version environment

- Version: v3.1.11
- Operating System: Arch Linux
- Browser (if used): Firefox

Log file

More information
@zxkmm
Copy link
Contributor

zxkmm commented Nov 16, 2024

really nice point! thx!

to me, it looks quite harmless since it's pure DOM injection vuln, that the only possible entrance (the clipper chrome plugin) already filtered special char when clipping; and ofc user won't do that on purpose

however that saying that's also would be good (and harmless) to filter special char (and also all the eval injections too). not only defense this xss, but also prevent some potential bugs that can be triggered. so still a nice point.

@Vanessa219

@88250 88250 mentioned this issue Nov 17, 2024
Closed
@88250 88250 added the Bug label Nov 17, 2024
Vanessa219 added a commit that referenced this issue Nov 17, 2024
@Vanessa219
🎨 #13168
c0a104d
Vanessa219 added a commit that referenced this issue Nov 17, 2024
@Vanessa219
🎨 #13168
7c7b736
88250 added a commit that referenced this issue Nov 17, 2024
@88250
🎨 Fix XSS in the tag name #13168
8653f7e
88250 added a commit that referenced this issue Nov 18, 2024
@88250
🎨 Fix XSS in the tag name #13168
732ee2e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Vanessa219 Vanessa219

Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@88250 @Vanessa219 @zxkmm @claunch3r