Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Architecture: Archived JS executes in a context shared with all other archived content (and the admin UI!) #239

Open
Milestone
@s7x

Description

@s7x

Describe the bug

Hi there!
There's an XSS vulnerability when you open your index.html if you saved a page with a title containing an XSS vector.

Steps to reproduce

  1. Save this page for example: [Twitter of @garethheyes] ](https://twitter.com/garethheyes/status/1126526480614416395)
  2. Open your index.html
  3. Get XSS'd by sir @garethheyes

Source code:

<a href="archive/1557816881/twitter.com/garethheyes/status/1126526480614416395.html" title="\u2028\u2029 op Twitter: "Another way to use throw without a semi-colon:<script>{onerror=alert}throw 1</script>"">

Software versions

  • OS: ArchLinux
  • ArchiveBox version: 903.59da482-1
  • Python version: python3.7
  • Chrome version: Chromium 74.0.3729.131 Arch Linux

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      [8]ページ先頭
      ©2009-2025 Movatter.jp