Summary
Improper storage and rendering of the /user/<user> page allows a user's comments to execute arbitrary javascript code.
Details
The html template user.html contains the following code snippet to render comments made by a user:
<div class="content" tag="content">{{comment[2]|safe}}</div>
Use of the "safe" tag causes flask to not escape the rendered content.
To remediate this, simply remove the |safe tag from the HTML above.
PoC
- Make a post as a user
- Leave a comment on the post containing:
<script>alert(1);</script>
- Browse to your profile page and notice the popup
Impact
Classic cross site scripting vulnerability affecting users who visit the profile of a poster who's post contains scripted comments. It may be possible to write a self-replicating payload to spread this comment like a worm across other profiles.
adindrabkin Reporter
Summary
Improper storage and rendering of the
/user/<user>page allows a user's comments to execute arbitrary javascript code.Details
The html template
user.htmlcontains the following code snippet to render comments made by a user:<div class="content" tag="content">{{comment[2]|safe}}</div>Use of the "safe" tag causes flask to not escape the rendered content.
To remediate this, simply remove the
|safetag from the HTML above.PoC
<script>alert(1);</script>Impact
Classic cross site scripting vulnerability affecting users who visit the profile of a poster who's post contains scripted comments. It may be possible to write a self-replicating payload to spread this comment like a worm across other profiles.