Comments (4)
Duplicate of #1298
from anchor-cms.
Any relevant commit for the above issue?
from anchor-cms.
@galaktipus There's no commit because it was deemed to not be an issue. In the thread it was discussed that AnchorCMS has this as a feature, and not as a vulnerability.
Further, in the contribution guidelines, we request that you search for your issue to see if it's already been reported before opening a new one. This has obviously not been done. :(
from anchor-cms.
Apologies, this was my mistake, I did not realize it was a dupe until I had posted the issue. I do recommend blocking event handlers and script tags, to provide some sort of security, but still allowing HTML customizable content. Maybe add toggleable HTML entity encoding. Without this option, the XSS can be exploited for horizontal privilege escalation.
I understand this was added as a feature, but it can still be used maliciously to some extent, and it is worth thinking about how the end user interacts with your product. Of course it is completely your choice on how you move forward with this.
Thank you for your time, and sorry again for the duplicate issue :)
from anchor-cms.
Related Issues (20)
- Drag and drop images not activated on Add/Edit pages HOT 1
- Search returns no results HOT 3
- Few Small Ideas HOT 4
- Markdown engine? HOT 2
- Change /posts/ URL? HOT 2
- Remove arbitrary limitation on titles and slugs
- CHANGE SHOW DATABASE COMMAND
- Anchor CMS's license HOT 3
- getmypid has been disabled for security reason HOT 2
- Use WSYIWIG instead of markdown editor? HOT 5
- sqlite HOT 2
- Broken forum, dead project? and a question HOT 7
- Include a file from outside the Anchor scope HOT 2
- Editing existing post wipes custom styles HOT 3
- There is a storage xss vulnerability after you login in HOT 7
- composer.json file does not match the regex pattern ^[a-z0-9-]+$ HOT 3
- Authenticated path traversal vulnerability.
- User Access Control
- Duplicate posts page template with different HTML formats
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from anchor-cms.