Re: dojo / CVE-2018-6561
I tend to agree with your analysis.
Source edit mode seems to be a separate module.
I do not know whether that one is included or not.
According to that module page it has filtering support to filter out
such things to avoid XSS attacks.
I agree with you that the server side that the data is posted to, also
need to do validation of the contents as you can not trust a client
side security check.
I think we can mark this as ignored as this is more of a minor security problem.
On 6 February 2018 at 08:31, Brian May <email@example.com> wrote:
> Hello All,
> Looking at
> The complaint appears to be: If I directly enter HTML into the
> I tried to reproduce this with the same online editor:
> However I seem to be unable to find the source mode button.
> Lets just assume this complaint is reproducible.
> dangerous HTML text, the fact remains it is still possible for the user
> to override the data submitted and still create XSS attacks.
> Hence I believe the only solution for this security bug is that the
> server the data is being submitted to must sanitise the HTML to ensure
> it is safe (and should already be doing so).
> library to validate input is a *security* *bug*, as the server should be
> doing this.
> Any comments?
> Brian May <firstname.lastname@example.org>
--- Inguza Technology AB --- MSc in Information Technology ----
/ email@example.com Folkebogatan 26 \
| firstname.lastname@example.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /