Fixed

Html can be injected from the CSV logs

13 years ago • updated by 8 years ago • 3

Html can be injected from existing log files stored locally on the service installation.

To demonstrate this behavior:

Include an entry into a log file with a source of "</div><label>This label will be visible in the logs.<label><div>

Vote

Replies 3
Oldest first
- Newest first
- Oldest first

I believe you've highlighted the problems with this one already Adam (AJAX, etc) so I accept there's not much we can do (if the user is searching for that sort of thing then they can't expect it to work). So long as it doesn't hang the service/web server in anyway or take them to our ugly error page I'm content.

My apologies, got the issues mixed up.

Although we're unlikely to log anything of the sort, other users potentially could with custom operation development... so is this as simple as HTML encoding each field Adam?

13 years ago

Please confirm resolution.

13 years ago

This has been confirmed.

Customer support service by UserEcho

Html can be injected from the CSV logs

Votes left: 9/9

Topic stats