Skip to content

Stored XSS in Project Name #520

Description

@sowish

Version

~ 1.3.22

Problem

~ Stored XSS in Project Name

如何复现此问题

  1. Register a account in the demo domain http://yapi.demo.qunar.com/
    Then new a project:

    Insert the paload xss"><img src=1 onerror=alert(/xss/)> in project name and set the project as public.
  2. Then put the project to as public group ,such as test2, so every one can view the project
  3. When the someone including the managers & administrators views the operation dynamics of the project, malicious js code will execute.

什么浏览器

~ chrome

什么系统(Linux, Windows, macOS)

~ Linux

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions