/
Errata - 3.3.0 XSS in error templates

Errata - 3.3.0 XSS in error templates

Owned by Mark Unwin
Apr 16, 2020

It has been reported (thanks to Kamaljeet Kumar Sharma) that the default error templates in the used framework (in our case, CodeIgniter) are subject to XSS attacks.

We have now edited these templates to use htmlentities for output, even though this will make the output look 'ugly' and print, instead of use for formatting, the HTML codes.

We feel this sacrifice is required to eliminate the further possibility of additional XSS vulnerabilities where an error is caused.

You can update your four error templates if this is a large concern for you.

The files are on github at https://github.com/Opmantek/open-audit/tree/master/code_igniter/application/errors

Related content

Errata - 4.0.1 XSS in SQL debugging output
Errata - 4.0.1 XSS in SQL debugging output
Open-AudIT
More like this
Errata - 3.3.2 / 3.4.0 XSS in devices list template (Community)
Errata - 3.3.2 / 3.4.0 XSS in devices list template (Community)
Open-AudIT
More like this
Errata - 4.0.1 XSS in template
Errata - 4.0.1 XSS in template
Open-AudIT
More like this
Errata - 4.2.0 and earlier Javascript vulnerability
Errata - 4.2.0 and earlier Javascript vulnerability
Open-AudIT
More like this
Errata - 3.3.0 Database table view access in Community
Errata - 3.3.0 Database table view access in Community
Open-AudIT
More like this
Errata - 1.12_2 patch for opConfig
Errata - 1.12_2 patch for opConfig
Open-AudIT
More like this