Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update your site because it's still vulnerable to Stored XSS #12

Open
ghost opened this issue Apr 13, 2014 · 4 comments
Open

Update your site because it's still vulnerable to Stored XSS #12

ghost opened this issue Apr 13, 2014 · 4 comments

Comments

@ghost
Copy link

ghost commented Apr 13, 2014

http://labs.carsonshold.com/fb-photo-selector/

http://i.imgur.com/eBC4eIM.png
ebc4eim

Payload: "><img src=x onerror=alert(document.cookie)>
@cshold
Copy link
Owner

cshold commented Apr 14, 2014

Not sure what can be done about this. What are your thoughts?

@ghost
Copy link
Author

ghost commented Apr 14, 2014

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

@cshold
Copy link
Owner

cshold commented Apr 14, 2014

Isn't that just you editing the source? Never run into this before so unsure of what the fix is.

@ghost
Copy link
Author

ghost commented Apr 14, 2014

No im not editing the source.

I made a Facebook Photo Album then connect in your website to upload a picture but the XSS appeared because of unsecured coding style in your Facebook Photo Selector.

Try to add

htmlentities(album.name)

Search more about how to filter XSS using htmlentities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cshold