Test Cross-site Scripting Vulnerability #40
Labels
help wanted
Extra attention is needed
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Recently, Gaurav reported a Self-XSS vulnerability in video-link feature and you can find the fix at @TomasBaskys's recent commit: 5d0e929
However, it was later identified that this self-XSS could be escalated using import feature therefore, we're opening this issue to re-test this fix and find any potential way to bypass it.
Areas to Focus
The only possible way to leverage XSS attack is using import feature (when you try to import other user's library/project) so focus on:
Beside you can also look into other areas, where your JS payloads gets stored and run everytime you open. (Templates, Payloads, etc)
Please focus only on Stored-XSS, any Self-XSS related issue wouldn't be taken at priority, as sanitization part take place at the time of storage so there's no real-way to escalate the Self-XSS
Please use latest version for testing this.
For suggestion / questions / fix, you can comment here. To report any possible way to bypass, please send an email at
[email protected]The text was updated successfully, but these errors were encountered: