New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

【SECURITY】存储型跨站脚本攻击 #1527

Open

chenhbc opened this issue Nov 24, 2024 · 0 comments

Labels

bug

chenhbc commented Nov 24, 2024

Bug 描述
页面存在 "Stored Cross-Site Scripting"（存储型跨站脚本攻击）漏洞

复现步骤
该 Bug 复现步骤如下

创建/编辑一个 Canvas
到 Design Tab 页面
Edit extract and add payload under Selector field <img src=x onerror=alert('xss')>
保存后鼠标移到 Payload 上，会弹窗口

期望结果
后端对输入的内容进行过滤或者转义，避免脚本被执行。

截屏

chenhbc added the bug label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment