You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If "website" field is not empty in a comment, [[+authorName]] generates automatically an <a> tag with "website" as the content of "href" property, without any chances to filter the "href" parameter by ourselves.
Besides this, if any comment has XSS, when you try to manage a thread with the Quip CMP, the table of comments is empty. If you clean in the database the harmful comments, everything works fine.
The text was updated successfully, but these errors were encountered:
When writing a new comment in QuipReply, you can put javascript code inside website placeholder. Example:
javascript:alert('XSS')Proof of Concept:
If email parameter is set as taken as the "href" property for an
<a>tag (as by default), then it will turn into XSS:quipcomment.chunk.tpl - line 8:
If "website" field is not empty in a comment, [[+authorName]] generates automatically an
<a>tag with "website" as the content of "href" property, without any chances to filter the "href" parameter by ourselves.Besides this, if any comment has XSS, when you try to manage a thread with the Quip CMP, the table of comments is empty. If you clean in the database the harmful comments, everything works fine.
The text was updated successfully, but these errors were encountered: