Skip to content

Search query gets rendered as HTML #3485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
2 of 7 tasks
jonasfranz opened this issue Feb 10, 2018 · 3 comments · Fixed by #3486
Closed
2 of 7 tasks

Search query gets rendered as HTML #3485

jonasfranz opened this issue Feb 10, 2018 · 3 comments · Fixed by #3486
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!

Comments

@jonasfranz
Copy link
Member

  • Gitea version (or commit ref): 1.4.0+rc1
  • Operating system: Ubuntu Server 16.04
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No, because repo indexer is disabled
    • Not relevant

Description

When I enter a HTML tag into the repository search, the query gets rendered as HTML. But it is sort of escaped because only h1, b, i etc. are rendered but without parameters like onload.

Screenshots

Search-Query: <i>

screenshot-2018-2-10 frontend 1

Search-Query: <h1>

screenshot-2018-2-10 frontend

Search-Query: <b>Hello</b><h1>World</h1>

screenshot-2018-2-10 frontend 2
@jonasfranz
Copy link
Member Author

This might be also security relevant because attackers could send links containing a message for example to send credentials to the attacker.

@jonasfranz jonasfranz mentioned this issue Feb 10, 2018
Merged
@lafriks lafriks added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Feb 10, 2018
@ethantkoenig
Copy link
Member

FYI, while this is certainly a bug (good catch @JonasFranzDEV), I don't believe XSS is a concern because the search query was previously piped through Str2Html (which sanitizes unsafe HTML)

@jonasfranz
Copy link
Member Author

@ethantkoenig You're right. It is not a real XSS but it could be used to show the user a big text for example saying to send there password to an email.

@go-gitea go-gitea locked and limited conversation to collaborators Nov 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Escape repo search query jonasfranz/gitea
3 participants
@lafriks @jonasfranz @ethantkoenig