Comments (8)
moollaza
commented on August 17, 2024
2
We're investigating a frontend fix for this.
As @tagawa and @pjhampton mentioned, there isn't a real vulnerability here as it's just an input on the page. With DuckDuckHack in maintenance, the Fatheads are not being updated so for now this is more of an issue of the SERP breaking.
The IA is being taken offline (and some others that are breaking the SERP) and once we manage to fix we'll bring them back.
from zeroclickinfo-fathead.
kyzn
commented on August 17, 2024
2
I agree with @pjhampton, and I feel like this is more of a HTML injection. https://www.owasp.org/index.php/Testing_for_HTML_Injection_(OTG-CLIENT-003)
Thanks for taking care of DuckDuckGo 🥇 🙂
from zeroclickinfo-fathead.
tagawa
commented on August 17, 2024
1
Thanks for filing this @javathunderman. We've disabled this IA for now until a fix is released.
By the way, the content shown from wikiHow is actually data we've parsed and cached so not live data, which reduces the threat a little but is still obviously something we need to fix.
/cc @bbraithwaite
from zeroclickinfo-fathead.
pjhampton
commented on August 17, 2024
1
Sorry I'm late to the party.
Weird, I thought we had dealt with this early on in the post-processing of the data. However, this was a consistent issue with the FatHead IAs for programming
However, are we really sure this is XSS vulnerable? 🤔 https://www.owasp.org/index.php/Testing_for_Cross_site_scripting
I have ran some tests of my own and got someone else to look at this as well.
What testing has the OP of that post done? How has he submitted a value via a vanilla textarea? Needs more details... disable if you guys feel fit though.
edit: I moved on slightly after this IA was developed, so I'm not sure how it was maintained to be honest. But it does look like it could be updated and run again for fresher info.
from zeroclickinfo-fathead.
moollaza
commented on August 17, 2024
1
This has been fixed.
from zeroclickinfo-fathead.
kyzn
commented on August 17, 2024
The link above (https://duckduckgo.com/?q=how+to+create+big+block+text+box) still loads the wikihow answer for me. Tried in Firefox 60.0.1 for Ubuntu (in a private window) & Chromium 66.0.3359.181 (incognito).
from zeroclickinfo-fathead.
javathunderman
commented on August 17, 2024
Same here, @tagawa. Seeing it on the latest version of the Android app.
…________________________________
From: Kivanc Yazan <[email protected]>
Sent: Thursday, May 31, 2018 2:20:39 AM
To: duckduckgo/zeroclickinfo-fathead
Cc: javathunderman; Mention
Subject: Re: [duckduckgo/zeroclickinfo-fathead] Wikihow: Possible XSS Vulnerability (#898)
The link above (https://duckduckgo.com/?q=how+to+create+big+block+text+box) still loads the wikihow answer for me. Tried in Firefox 60.0.1 for Ubuntu private window & Chromium 66.0.3359.181 incognito.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#898 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AGkXnZBhulFiPt21tZPR6Syd2mNxDzKZks5t34u3gaJpZM4USMTX>.
from zeroclickinfo-fathead.
tagawa
commented on August 17, 2024
@kyzn @javathunderman Thanks for spotting that. Not sure what happened but I've just let the developers know.
from zeroclickinfo-fathead.
Related Issues (20)
- PerlDoc: Indentation broken. Code snippets need to be wrapped in `<pre><code>`
- Tldr Pages: [Suggestion] use man" HOT 1
- Tldr Pages: [sugestion] use "man"
- Wikipedia: Some birthdays are not showing the month HOT 1
- Wikipedia: HOT 1
- >'>"><img src=x onmouseover =confirm(0)>
- Linux Commands:
- WikipediaPolish:
- File Formats:
- PHP:
- Tldr Pages: xargs HOT 1
- HGNC Gene Names: More at HGNC link incorrect HOT 1
- GitManual: "<>" are not escaped properly HOT 3
- Wikipedia: not trigger
- Django: Update docs from 1.10 to 2.2
- Halopedia: Wrong site linked in the Fathead.
- Avatar:
- WikipediaGerman: can't see them on mobile-devices
- 24: Deep Sleep Diabetes Remedy HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zeroclickinfo-fathead.