Please ask Khushboo (or Murtuza?) to work on this ASAP, and check for other similar cases.
I want it resolved on top priority. Thanks. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK:http://www.enterprisedb.com The Enterprise PostgreSQL Company > On 4 Aug 2016, at 19:09, Ashesh Vashi <ashesh.va...@enterprisedb.com> wrote: > > Thanks for the report. > I will create a case for the same in redmine. > > -- > Thanks & Regards, > > Ashesh Vashi > EnterpriseDB INDIA: Enterprise PostgreSQL Company > > http://www.linkedin.com/in/asheshvashi > >> On Thu, Aug 4, 2016 at 11:35 PM, Krzysztof O <krz...@gmail.com> wrote: >> Hi, >> >> I have created table: >> CREATE TABLE "<h1 onmouseover='alert(1);'>x" ( >> id serial >> ); >> >> In sidebar I expanded "Tables" and i moved my mouse to table "X". In >> that case I received javascript alert. >> >> XSS works when i put malicious code into index name or column name: >> CREATE TABLE a (id serial); >> CREATE INDEX "<h1 onmouseover='alert(1);'>idx" ON a(id); >> >> CREATE TABLE b ("<h1 onmouseover='alert(1);'>column" serial); >> >> >> During removal index or table still see JavaScript alert. And last >> one, in "Properties" tab. >> >> >> All chars like <, >, ", '. should be filtered in names of tables, >> columns, indexes. >> >> Tested on: Pgadmin4 1.0-beta3, Windows 7 x64, Server: PostgreSQL 9.5.3 >> on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat >> 4.8.5-4), 64-bit >> >> >> Regards, >> Krzysztof Otręba >> >> >> -- >> Sent via pgadmin-support mailing list (pgadmin-support@postgresql.org) >> To make changes to your subscription: >> http://www.postgresql.org/mailpref/pgadmin-support >> >
