[GitHub] [superset] dharmic6 opened a new issue, #21592: JavaScript runs when provided through text editor

Mon, 26 Sep 2022 16:12:11 -0700 


dharmic6 opened a new issue, #21592:
URL: https://github.com/apache/superset/issues/21592

   A clear and concise description of what the bug is.
   
   #### How to reproduce the bug
   
   1. Go to csvtodatabaseview/form  (CSV to Database configuration)
   2. Add tablename as `Test<img src=x onerror=alert('NetSPI')>`
   3. Provide other required fields. Please make sure its an invaldi data.
   4. Will see the alert box providing a alert window with `NetSPI` as shown 
below
   5. Same happens for exceltodatabaseview/form (Excel upload form too)
   
   ### Expected results
   
   JS needs to be encoded as HTML entities before using them in an HTTP 
response so that they cannot be used to modify the structure of the HTML 
document.
   
   ### Actual results
   
   Alert window pops up
   ![Screen Shot 2022-09-26 at 4 06 14 
PM](https://user-images.githubusercontent.com/25113963/192396326-2841d6c0-7c39-41d6-983f-a015767d0d13.png)
   
   
   #### Screenshots
   
   If applicable, add screenshots to help explain your problem.
   
   
   ### Environment
   
   (please complete the following information):
   
   - browser type and version: Google Chrome Version 105.0.5195.125 (Official 
Build) (x86_64)
   - superset version: `2.0`
   - python version: `Python 3.9.12`
   - node.js version: `node -v`
   - any feature flags active:
   
   ### Checklist
   
   Make sure to follow these steps before submitting your issue - thank you!
   
   - [X] I have checked the superset logs for python stacktraces and included 
it here as text if there are any.
   - [X] I have reproduced the issue with at least the latest released version 
of superset.
   - [X] I have checked the issue tracker for the same issue and I haven't 
found one similar.
   
   ### Additional context
   
   Add any other context about the problem here.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org

Reply via email to