October: Improper escaping of html tags in Blog posts added from admin panel

Created on 3 Feb 2017  路  3Comments  路  Source: octobercms/october
Expected behavior

Escaped <> and other html tags/characters to prevent XSS attacks etc.

Actual behavior

After installation of octobercms with Blog plugin and adding a new post with the content of:

This is my test post :)

All 3 comments

I think this question / report is better placed on the blog plugin issues.

SebastiaanKloos picture SebastiaanKloos on 3 Feb 2017
👍1

@SeekAndPwn As @SebastiaanKloos said, this is in regards to the blog plugin so it belongs there. As a side note, the blog plugin uses markdown as its content field so there is no XSS vulnerability as reported.

LukeTowers picture LukeTowers on 3 Feb 2017
👍1

Looks like you need to install the DOM extension in PHP. Also HTML is allowed in blog posts, if an admin wants to perform XSS on themselves then it is their prerogative.

daftspunk picture daftspunk on 5 Feb 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jvanremoortere picture jvanremoortere  路  3Comments
pavelmgn picture pavelmgn  路  3Comments
gergo85 picture gergo85  路  3Comments
ChVuagniaux picture ChVuagniaux  路  3Comments
SeekAndPwn picture SeekAndPwn  路  3Comments