Skip to content
This repository has been archived by the owner on Oct 8, 2020. It is now read-only.

[Bounty] Tronscan V2 - Able to put invalid characters in Representative Website URL #236

Open
robincarlo84 opened this issue Jun 4, 2018 · 0 comments
Open

[Bounty] Tronscan V2 - Able to put invalid characters in Representative Website URL #236

robincarlo84 opened this issue Jun 4, 2018 · 0 comments

Comments

@robincarlo84
Copy link

robincarlo84 commented Jun 4, 2018
edited
Loading

Bug Report

As you can see on the screenshot, you are able to put invalid characters in the Website URL field

image

image

image

Not sanitizing the input fields makes your site prone to XSS Injections.

You can reproduce this by:

  1. Apply to be a super representative candidate
  2. Enter a valid website address. e.g. https://www.sample-url.com
  3. Once application is approved, go back to your account then change website
  4. Change website with this: "><img src=d onerror=prompt(document.cookie);>
    Note: include double quote(") char.

OS

Mac

Browser

Chrome
FF
Safari

Reward Information

Voluntary donation: 0x6562eb37a210a0949fd502f2a746284a38f4e9cc
Email: [email protected]
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@robincarlo84