Servoy Forum

Discuss Servoy here!

Skip to content

Possible XSS vulnerability

Forum to discuss the new web client version of Servoy.
Post a reply

Possible XSS vulnerability

Postby jdbruijn » Wed Jul 13, 2016 11:18 am

We might have found a XSS injection vulnerability in Servoy.
Run attached sample and paste the following line in the edit field:
XSSStored<script>alert(1)</script>

This script will run as soon as you leave the edit field.

Are we as developers responsible to make sure this kind of input is not allowed, or is this something that Servoy should/can fix?
You do not have the required permissions to view the files attached to this post.
Jos de Bruijn
Focus Feedback BV
Servoy Certified Developer
Image
jdbruijn
 
Posts: 492
Joined: Sun Apr 11, 2010 6:34 pm
Top

Re: Possible XSS vulnerability

Postby Andrei Costescu » Wed Jul 13, 2016 12:43 pm

Can you create a feature request for this?
We could make it easier for the developers to avoid this by disallowing by default such script execution on some default components (like labels). Of course it should be possible to allow it as well if developers want that.

Until then you need to validate this kind of data.
Andrei Costescu
Servoy
Andrei Costescu
 
Posts: 1018
Joined: Tue Jun 26, 2007 3:14 pm
Top

Re: Possible XSS vulnerability

Postby jdbruijn » Wed Jul 13, 2016 1:02 pm

Done: https://support.servoy.com/browse/SVY-10144
Jos de Bruijn
Focus Feedback BV
Servoy Certified Developer
Image
jdbruijn
 
Posts: 492
Joined: Sun Apr 11, 2010 6:34 pm
Top
Post a reply

Return to Servoy NGClient

Who is online

Users browsing this forum: No registered users and 10 guests

Learn more about Servoy
cron