0
Fixed

Html can be injected from the CSV logs

Tony Sheehy 8 years ago • updated by anonymous 3 years ago 3

Html can be injected from existing log files stored locally on the service installation.

To demonstrate this behavior:

Include an entry into a log file with a source of "</div><label>This label will be visible in the logs.<label><div>

I believe you've highlighted the problems with this one already Adam (AJAX, etc) so I accept there's not much we can do (if the user is searching for that sort of thing then they can't expect it to work). So long as it doesn't hang the service/web server in anyway or take them to our ugly error page I'm content.

My apologies, got the issues mixed up.

Although we're unlikely to log anything of the sort, other users potentially could with custom operation development... so is this as simple as HTML encoding each field Adam?

Please confirm resolution.

This has been confirmed.