Is this a variable in a template whose value is controlled by (always untrusted) user-supplied input?
Maybe I've misread the vuln report? Doesn't this apply to any website? I.e. a person can edit the HTML of any page with developer tools and add code wherever. AFAIU, Users can XSS themselves with that approach in all cases. Is there a suggested remediation (field in the email template)? I.e. website maintainers with control over the HTML source should — in general — not add malicious JS, HTML, or CSS. https://en.wikipedia.org/wiki/Cross-site_scripting https://en.wikipedia.org/wiki/Self-XSS ? Is there a header or something that modifies the browser protections against this approach? (Adding code with DevTools or by Pasting a URL containing JS into the location bar *should* raise an error; MITM XSS can't be detected because hashes can be changed or removed (even if signed) without TLS/SSL PKI; and user-supplied input from form fields or URL parameters should always be appropriately escaped) https://cwe.mitre.org/data/definitions/79.html https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) https://www.owasp.org/index.php/Client_Side_Testing Can someone explain what even a static HTML site can do to limit the impact of "Self XSS"? Perhaps I've misunderstood the report On Fri, Jan 10, 2020, 1:12 PM Steve Holden <st...@holdenweb.com> wrote: > Hey Victor, > > I'm sending this reply to pydotorg-www@, since it is they who handle > updating the web site. > > webmaster@ is a common destination for such queries, but all we can do is > what I've just done in most cases. > > Kind regards, > Steve Holden > > > On Fri, Jan 10, 2020 at 5:03 PM Victor Stinner <vstin...@python.org> > wrote: > >> Hi python.org webmasters, >> >> Would you mind mind to have a look? :-) >> >> Victor >> >> ---------- Forwarded message --------- >> De : Nikhil1R via PSRT <p...@python.org> >> Date: ven. 10 janv. 2020 à 10:18 >> Subject: [PSRT] XSS DOM on python.org >> To: secur...@python.org <secur...@python.org> >> >> >> [*] Summary: >> XSS DOM on https://www.python.org/ >> >> [*] Steps To Reproduce: >> >> 1. Open https[://]spotify[.]com/us/ >> 2. In going to the "Web Developer's" options and going to selecting >> "Inspector" option. >> 3. In inspector options Select the <img class="python-logo" >> src="/static/img/python-logo.png" alt="python™"> >> 4. Select it as Edit as HTML from right clicking. >> 5. Replace the value in quotes "/static/img/python-logo.png" with the >> string "><svg onload=alert(1)> . >> 6. After that click outside the editing HTML box. >> 7. Hence, you will get the alert of XSS(DOM BASED ) being executed. >> >> [*] Impact: >> Source is controlled by user so they can execute the XSS for >> dangerous sink. >> >> [*] Supporting Material/References: >> >> 1. Screenshots attached is .png. >> 2. Browser: Latest Firefox 71.0(64 bit) for Linux & latest >> Firefox for windows. >> 3. OS: Linux,Windows. >> >> []Note: I'm only attaching the Screenshot for Linux but this i had >> also tested on Windows 10.[] >> ----------------------------- >> Python Security Response Team >> Unsubscribe: >> https://mail.python.org/mailman/options/psrt/vstinner%40python.org >> >> >> -- >> Night gathers, and now my watch begins. It shall not end until my death. >> _______________________________________________ >> Webmaster mailing list >> webmas...@python.org >> https://mail.python.org/mailman/listinfo/webmaster >> > _______________________________________________ > pydotorg-www mailing list > pydotorg-www@python.org > https://mail.python.org/mailman/listinfo/pydotorg-www >
_______________________________________________ pydotorg-www mailing list pydotorg-www@python.org https://mail.python.org/mailman/listinfo/pydotorg-www