Comments (5)
If you have a serious security vulnerability to report, I am reachable on discord in https://discord.gg/red as Flame#2941. This post does not have enough information for me to understand what is going on, so I urge you to send me a private message if you have a legitimate vulnerability to report.
from discord-embed-sandbox.
If you have a serious security vulnerability to report, I am reachable on discord in https://discord.gg/red as Flame#2941. This post does not have enough information for me to understand what is going on, so I urge you to send me a private message if you have a legitimate vulnerability to report.
For example in the inputs an XSS can be executed
from discord-embed-sandbox.
Yeah but this does not go to any server or even get displayed to anyone else besides you when do that and you can use alert in dev tools so?
from discord-embed-sandbox.
I wouldn't call this a serious or exploitable vulnerability, however, a script injection attack is possible if a user pastes a malicious string into one of the fields. Of course, this would be as good as useless as AFAIK the site doesn't store anything valuable other than the values of the other fields, so there's nothing for an attacker to take.
This is still an issue as entering certain values (eg if you want <something> to appear in one of your fields) will make them not show up as they are seen as HTML. (see screenshot)
The issue is that there is no input sanitisation performed in the updateEmbed function, for example here:
discord-embed-sandbox/js/index.js
Lines 44 to 45 in c684c6e
If the input is first properly sanitised, for example with something like this, or ideally a proper sanitisation library, the issue would be resolved.
from discord-embed-sandbox.
Considering, afaik, you cannot add URL-parameters for an embed (ie ?title=test&description=<script>alert('hi')</script>&fields=[title=a;value=b;inline=1]
), this doesn't seem like a Cross-Site-Scripting Vulnerability, rather a trivial bug.
However, I would still like to see sanitation, so forks of the project which may allow that aren't unknowingly vulnerable to this.
Will likely open a PR that fixes this in a bit.
EDIT: opened a PR that fixes this; see #25
from discord-embed-sandbox.
Related Issues (15)
- Markdown not working HOT 3
- Remake this!
- Using -_ doesn't display in fields HOT 3
- Support footer icons
- Feature Suggest: Allow us to include variable names and not just text HOT 1
- Thumbnail/author icon not showing
- [feature-req] make output code field also input to see preview
- Switch to `const`/`let` (and switch to a preprocessor or a compiler) HOT 4
- Add pug build instructions HOT 1
- __ should underline, rather than making bold
- Add Discord.JS MessageEmbed Support
- \n Not Supported
- Getting Code HOT 1
- Generated python code does not include apostrophes -> text won't be recognized as a string
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from discord-embed-sandbox.