Dynamic smartcodes not sanitized

  • Resolved phpone

    (@phpone)


    1 year, 3 months ago

    I found out dynamic smartcodes “{custom.smartcode}” are not sanitized allowing dom XSS.

    I currently disabled that output in my forms and i hope it will be fixed soon.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support Amimul Ihsan

    (@amimulihsanmahdi)

    1 year, 3 months ago

    Hello @phpone,

    Thank you for bringing this to our attention. We take security issues very seriously and appreciate your diligence in reporting this.

    To help us investigate and resolve the issue as quickly as possible, could you please provide us with additional details, including:

    • Steps to reproduce the issue
    • The specific form or page where the vulnerability was observed
    • Any example payloads or scripts that demonstrate the behavior
    • The browser and environment where the issue was tested

    We will check the issue deeply and get back to you.

    Thank you

    Thread Starter phpone

    (@phpone)

    1 year, 2 months ago

    Hello @amimulihsanmahdi and thanks for your reply.

    Using an HTML block i found a suggestion about using dynamic smartcodes like

    {dynamic.INPUT_NAME}

    I found out that allows inline code execution as inputs are sanitized only on “submit”.

    So when using a dynamic smartcode if you insert a value like

    <script>window.alert("injection")</script>

    you get the script executed inline.

    Plugin Support Amimul Ihsan

    (@amimulihsanmahdi)

    1 year, 2 months ago

    Hello @phpone,

    Thank you for sharing the details. We have fixed the issue on our development branch and hopefully, it will be shipped with the upcoming update.

    Thank you

    Thread Starter phpone

    (@phpone)

    1 year, 2 months ago

    Update rolled out. Thanks. Great job!

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Dynamic smartcodes not sanitized’ is closed to new replies.