Comments (10)
JalonSolov
commented on June 15, 2024
6
Right now, markdown isn't rendered at all. I think md files are just dumped as text to the browser. So no vulnerability there.
Definitely something to keep in mind once markdown rendering is live.
from gitly.
JalonSolov
commented on June 15, 2024
5
I stand corrected. This is indeed something that should be fixed ASAP.
from gitly.
Not-Nik
commented on June 15, 2024
FYI since pushing to gitly is not available yet, the source is also viewable seperately (without XSS :^) here
from gitly.
Larpon
commented on June 15, 2024
Thanks for reporting this!
from gitly.
oleggtro
commented on June 15, 2024
A xss vuln is usually considered critical...
You could steal sessions and a lot of other really bad stuff could happen and you don't care?
from gitly.
JalonSolov
commented on June 15, 2024
I never said anything about not caring. Dumping text to the browser windows is NOT an xss vulnerability, since it is just text, and doesn't get executed.
If you know for a fact that it is being executed, then yes, that is indeed a critical problem.
from gitly.
Not-Nik
commented on June 15, 2024
Well if you click on the link you should see an alert. That's a pretty good sign that there is some execution going on.
from gitly.
LouisSchmieder
commented on June 15, 2024
This is not a gitly problem this is a vweb problem because the text inserts wrong. It needs to be filtered
from gitly.
medvednikov
commented on June 15, 2024
well we use vweb.RawHtml to render readme.md
I've disabled it entirely, until we use an actual markdown parser again.
from gitly.
LouisSchmieder
commented on June 15, 2024
I've wrote a fix now for it in vweb with the new type vweb.RawText
from gitly.
Related Issues (20)
- Deletion of Repositories does not work HOT 1
- Chinese Support HOT 4
- [Feature request] More features in Gitly?
- Is this project active? HOT 7
- Issue in gitly from codespaces
- Gitly with error in Github Codespaces HOT 2
- [Feature request] Option to migrate code for backup or mirroring
- Business plans on Gitly? HOT 5
- gitly.org 404 HOT 4
- software licensing question: plugin licensing, gitly add-on HOT 1
- S3 for files instead of local storage.
- [SECURITY] Several command injections HOT 1
- [Bug] Private repositories missing security check HOT 3
- [Bug] Wrong issues visible
- [Bug] Global issue counter
- Support CI/CD visualization configuration
- [BUG] Going to https://gitly.org// returns Cloudflare Error 502 HOT 3
- Error building on Alpine (on Windows builds ok)
- Regarding SMTP
- Error while building gitly with V 0.4.2 0c92c31
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gitly.