Page MenuHomePhabricator

CVE-2023-29133: XSS in Searchtext formatter in Cargo
Closed, ResolvedPublicSecurity


CargoQueryDisplayer::getTextSnippet() calls html_entity_decode( $snippet ). This undos escaping, resulting in an XSS.

Steps to reproduce:
Have a cargo field named field of type Searchtext. Put the following value in it <script>alert(1)</script> foo bar

Have a cargo query like follows:

|where=field matches 'foo'

Note the alert box that pops up.


Author Affiliation
Other (Please specify in description)

Event Timeline

Bawolff changed Author Affiliation from N/A to Other (Please specify in description).Mar 6 2023, 5:53 PM

Thanks for pointing this out - and it turns out that that call is apparently no longer needed. I just removed it here:

Yaron_Koren claimed this task.

I assume thiss can be closed.

Mstyles renamed this task from XSS in Searchtext formatter in Cargo to CVE-2023-29133: XSS in Searchtext formatter in Cargo.Apr 4 2023, 4:17 AM
mmartorana changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 4 2023, 7:07 PM