Cross Site Scripting(XSS)vulnerability in code-server #4355
Labels
security
Security related
Milestone
Comments
|
@code-asher is this expected since the person would have to have access to the vm/machine running code-server? |
|
@jsjoeio someone can send you a forged link that makes you execute arbitrary code in your code-server instance. See https://owasp.org/www-community/attacks/xss/ |
|
Yeah we should probably make a habit of escaping everything we put into
the HTML or switch to a templating language.
|
|
@code-asher in my experience it's better to use a templating language that escapes everything by default, habits are hard to change ;) |
|
Very true! :D
I believe we have switching to a templating system on our roadmap, maybe
for now we can fix this issue until that switch happens.
|
|
@code-asher I can take a crack at the fix |
|
@mauri-sfdc that would be awesome! Thank you for reporting this and providing extra links (for me!). Let us know how we can help. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OS/Web Information
code-server --version: v3.12.0Steps to Reproduce
1.Open your browser and insert payload
/static/test%3Cmy_tag_efb4535077ba29aaca28167c491b4249/%3E%3Cimg%20src=x%3E%3Cscript%3Ealert(1)%3C/script%3E2.example:
http://127.0.0.1:8080/static/test%3Cmy_tag_efb4535077ba29aaca28167c491b4249/%3E%3Cimg%20src=x%3E%3Cscript%3Ealert(1)%3C/script%3EScreenshot
Notes
This issue can be reproduced in VS Code: Yes
The text was updated successfully, but these errors were encountered: