Skip to content

[SECURITY] Fix XSS issues with user submitted data

Oliver Hader requested to merge ohader/netmon:Security-XSS into master

User submitted data is currently assigned to the smarty template engine without being properly sanitized. This causes various XSS vectors all along the application.

A new NetmonSanitize smarty modifier has been created to allow only a bunch of pre-defined HTML tags and attributes. Albeit the modifier allows to escape invalid HTML partials, the current strategy is set to "stripTags" which leads to having invalid parts being purged from the rendered markup.

Merge request reports