Thanks for the report. I will create a case for the same in redmine <http://redmine.postgresql.org> .
-- Thanks & Regards, Ashesh Vashi EnterpriseDB INDIA: Enterprise PostgreSQL Company <http://www.enterprisedb.com> *http://www.linkedin.com/in/asheshvashi* <http://www.linkedin.com/in/asheshvashi> On Thu, Aug 4, 2016 at 11:35 PM, Krzysztof O <krz...@gmail.com> wrote: > Hi, > > I have created table: > CREATE TABLE "<h1 onmouseover='alert(1);'>x" ( > id serial > ); > > In sidebar I expanded "Tables" and i moved my mouse to table "X". In > that case I received javascript alert. > > XSS works when i put malicious code into index name or column name: > CREATE TABLE a (id serial); > CREATE INDEX "<h1 onmouseover='alert(1);'>idx" ON a(id); > > CREATE TABLE b ("<h1 onmouseover='alert(1);'>column" serial); > > > During removal index or table still see JavaScript alert. And last > one, in "Properties" tab. > > > All chars like <, >, ", '. should be filtered in names of tables, > columns, indexes. > > Tested on: Pgadmin4 1.0-beta3, Windows 7 x64, Server: PostgreSQL 9.5.3 > on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat > 4.8.5-4), 64-bit > > > Regards, > Krzysztof Otręba > > > -- > Sent via pgadmin-support mailing list (pgadmin-support@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgadmin-support > >
