8000 fix(security): prevent xss attack in the search field by jll-02 · Pull Request #18847 · frappe/frappe · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix(security): prevent xss attack in the search field #18847

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 11, 2022
Merged

fix(security): prevent xss attack in the search field #18847

merged 2 commits into from
Nov 11, 2022

Conversation

jll-02
Copy link
Contributor
@jll-02 jll-02 commented Nov 11, 2022
edited by ankush
Loading

When the navbar_search checkbox of the Website Settings is checked an attack is possible where the attacker sends the victim a link. If the victim clicks on the link, some JavaScript code can be executed.

@codecov
Copy link
codecov bot commented Nov 11, 2022
edited
Loading

Codecov Report

Merging #18847 (b414c2e) into develop (668a730) will decrease coverage by 0.05%.
The diff coverage is n/a.

❗ Current head b414c2e differs from pull request most recent head da045dd. Consider uploading reports for the commit da045dd to get more accurate results

Additional details and impacted files 
@@             Coverage Diff             @@
##           develop   #18847      +/-   ##
===========================================
- Coverage    63.58%   63.53%   -0.06%     
===========================================
  Files          749      749              
  Lines        67443    67440       -3     
  Branches      6012     6012              
===========================================
- Hits         42886    42845      -41     
- Misses       21140    21170      +30     
- Partials      3417     3425       +8
Flag Coverage Δ
server-ui 31.55% <ø> (-0.06%) ⬇️
ui-tests 50.88% <ø> (-0.13%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@ankush ankush removed the request for review from surajshetty3416 November 11, 2022 11:17
@ankush ankush merged commit bfab719 into frappe:develop Nov 11, 2022
@ankush ankush added backport version-13-hotfix backport version-14-hotfix backport to version 14 defer backport Backports for some PR are deferred for a week or two to test them properly before releasing and removed backport version-13-hotfix backport version-14-hotfix backport to version 14 labels Nov 11, 2022
@mergify mergify bot mentioned this pull request Nov 11, 2022
Merged
mergify bot pushed a commit that referenced this pull request Nov 11, 2022
@jll-02 @mergify
fix(security): prevent xss attack in search (#18847)
de265b4 
(cherry picked from commit bfab719)
ankush pushed a commit that referenced this pull request Nov 11, 2022
@mergify @jll-02
fix(security): prevent xss attack in search (#18847) (#18849)
8b42091 
(cherry picked from commit bfab719)

Co-authored-by: jll-02 <63648645+jll-02@users.noreply.github.com>
mergify bot pushed a commit that referenced this pull request Nov 11, 2022
@jll-02 @mergify
fix(security): prevent xss attack in search (#18847)
516630d 
(cherry picked from commit bfab719)
@mergify mergify bot mentioned this pull request Nov 11, 2022
Merged
ankush pushed a commit that referenced this pull request Nov 11, 2022
@mergify @jll-02
fix(security): prevent xss attack in search (#18847) (#18850)
8807035 
(cherry picked from commit bfab719)

Co-authored-by: jll-02 <63648645+jll-02@users.noreply.github.com>
@ankush ankush removed the defer backport Backports for some PR are deferred for a week or two to test them properly before releasing label Nov 11, 2022
@Mutantpenguin
Copy link
Contributor

Would it be possible to get a backport to 12 too?

@ankush
Copy link
Member
ankush commented Nov 12, 2022

@Mutantpenguin version-12 is not supported anymore. Please upgrade to v13 for security/bug fixes.

This one's small change so can be ported easily.

@mergify mergify bot mentioned this pull request Nov 12, 2022
Merged
mergify bot pushed a commit that referenced this pull request Nov 12, 2022
@jll-02 @mergify
fix(security): prevent xss attack in search (#18847)
ce52a77 
(cherry picked from commit bfab719)
ankush pushed a commit that referenced this pull request Nov 12, 2022
@mergify @jll-02
fix(security): prevent xss attack in search (#18847) (#18859)
d78b899 
(cherry picked from commit bfab719)

Co-authored-by: jll-02 <63648645+jll-02@users.noreply.github.com>
frappe-pr-bot pushed a commit that referenced this pull request Nov 15, 2022
@frappe-bot
chore(release): Bumped to Version 14.15.0
6fb27b4 
# [14.15.0](v14.14.3...v14.15.0) (2022-11-15)

### Bug Fixes

* avoid patching QB if already patched ([a8ba877](a8ba877))
* breadcrumbs is broken ([90ca7b1](90ca7b1))
* check if the doctype exists before adding default logtypes in log settings ([#18867](#18867)) ([#18869](#18869)) ([93fe3e9](93fe3e9))
* dashboard view from workspace (backport [#18779](#18779)) ([#18813](#18813)) ([42f5e04](42f5e04))
* decorator ordering ([2245cc0](2245cc0))
* dont allow reading attributes of unsafe objects (backport [#18706](#18706)) ([#18806](#18806)) ([2b193bd](2b193bd)), closes [#18784](#18784)
* hardcode doctype in google oauth callback ([#18862](#18862)) ([78a337b](78a337b))
* page has an empty menu button ([b2bbcde](b2bbcde))
* raise exception if doc before save is not found ([#18796](#18796)) ([#18820](#18820)) ([7505a0d](7505a0d))
* reportview permlevel bug ([#18822](#18822)) ([#18828](#18828)) ([ec248a9](ec248a9))
* **security:** prevent xss attack in search ([#18847](#18847)) ([#18850](#18850)) ([8807035](8807035))

### Features

* Set default SQL statement timeouts ([8ab95f4](8ab95f4))
* show utilization percent on RQ Worker ([#18868](#18868)) ([#18870](#18870)) ([a7060fa](a7060fa))

### Performance Improvements

* faster as_list and as_dict ([33d6369](33d6369))
* faster generate_hash (backport [#18825](#18825)) ([#18851](#18851)) ([bb5c7d5](bb5c7d5))
* **workflow:** get_transitions ([#18834](#18834)) ([#18839](#18839)) ([3f71181](3f71181))

### Reverts

* async await in breadcrumbs.js ([6a1e619](6a1e619))
frappe-pr-bot pushed a commit that referenced this pull request Nov 15, 2022
@frappe-bot
chore(release): Bumped to Version 13.44.0
4332314 
# [13.44.0](v13.43.2...v13.44.0) (2022-11-15)

### Bug Fixes

* page has an empty menu button ([637cb45](637cb45))
* reportview permlevel bug (backport [#18822](#18822)) ([#18827](#18827)) ([acb6f57](acb6f57))
* reset workspace ([271c5d0](271c5d0))
* **security:** prevent xss attack in search ([#18847](#18847)) ([#18849](#18849)) ([8b42091](8b42091))

### Features

* Set default SQL statement timeouts (backport [#18771](#18771)) ([#18800](#18800)) ([127763a](127763a))

### Performance Improvements

* **workflow:** get_transitions ([#18834](#18834)) ([9ec557d](9ec557d))
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 27, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ankush ankush ankush approved these changes

Assignees
No one assigned
Labels
backport version-14-hotfix backport to version 14
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jll-02 @Mutantpenguin @ankush
0