Re: pgAdmin4 1.0-beta3 - XSS in sidebar

Thanks for the report.
I will create a case for the same in redmine <http://redmine.postgresql.org>
.

--

Thanks & Regards,

Ashesh Vashi
EnterpriseDB INDIA: Enterprise PostgreSQL Company
<http://www.enterprisedb.com>

*http://www.linkedin.com/in/asheshvashi*
<http://www.linkedin.com/in/asheshvashi>

On Thu, Aug 4, 2016 at 11:35 PM, Krzysztof O <krzotr(at)gmail(dot)com> wrote:

> Hi,
>
> I have created table:
> CREATE TABLE "<h1 onmouseover='alert(1);'>x" (
> id serial
> );
>
> In sidebar I expanded "Tables" and i moved my mouse to table "X". In
> that case I received javascript alert.
>
> XSS works when i put malicious code into index name or column name:
> CREATE TABLE a (id serial);
> CREATE INDEX "<h1 onmouseover='alert(1);'>idx" ON a(id);
>
> CREATE TABLE b ("<h1 onmouseover='alert(1);'>column" serial);
>
>
> During removal index or table still see JavaScript alert. And last
> one, in "Properties" tab.
>
>
> All chars like <, >, ", '. should be filtered in names of tables,
> columns, indexes.
>
> Tested on: Pgadmin4 1.0-beta3, Windows 7 x64, Server: PostgreSQL 9.5.3
> on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat
> 4.8.5-4), 64-bit
>
>
> Regards,
> Krzysztof Otręba
>
>
> --
> Sent via pgadmin-support mailing list (pgadmin-support(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgadmin-support
>
>