Hey Victor, I'm sending this reply to pydotorg-www@, since it is they who handle updating the web site.
webmaster@ is a common destination for such queries, but all we can do is what I've just done in most cases. Kind regards, Steve Holden On Fri, Jan 10, 2020 at 5:03 PM Victor Stinner <[email protected]> wrote: > Hi python.org webmasters, > > Would you mind mind to have a look? :-) > > Victor > > ---------- Forwarded message --------- > De : Nikhil1R via PSRT <[email protected]> > Date: ven. 10 janv. 2020 à 10:18 > Subject: [PSRT] XSS DOM on python.org > To: [email protected] <[email protected]> > > > [*] Summary: > XSS DOM on https://www.python.org/ > > [*] Steps To Reproduce: > > 1. Open https[://]spotify[.]com/us/ > 2. In going to the "Web Developer's" options and going to selecting > "Inspector" option. > 3. In inspector options Select the <img class="python-logo" > src="/static/img/python-logo.png" alt="python™"> > 4. Select it as Edit as HTML from right clicking. > 5. Replace the value in quotes "/static/img/python-logo.png" with the > string "><svg onload=alert(1)> . > 6. After that click outside the editing HTML box. > 7. Hence, you will get the alert of XSS(DOM BASED ) being executed. > > [*] Impact: > Source is controlled by user so they can execute the XSS for > dangerous sink. > > [*] Supporting Material/References: > > 1. Screenshots attached is .png. > 2. Browser: Latest Firefox 71.0(64 bit) for Linux & latest > Firefox for windows. > 3. OS: Linux,Windows. > > []Note: I'm only attaching the Screenshot for Linux but this i had > also tested on Windows 10.[] > ----------------------------- > Python Security Response Team > Unsubscribe: > https://mail.python.org/mailman/options/psrt/vstinner%40python.org > > > -- > Night gathers, and now my watch begins. It shall not end until my death. > _______________________________________________ > Webmaster mailing list > [email protected] > https://mail.python.org/mailman/listinfo/webmaster >
_______________________________________________ pydotorg-www mailing list [email protected] https://mail.python.org/mailman/listinfo/pydotorg-www
