Xpra: Ticket #2724: XSS vulnerability in xpra HTML5 client

Hello,

we found a very simple XSS voulnerability in the xpra HTML5 client. Demo: https://xpra.org/html5/connect.html?disconnect=%3Cimg%20src=x%20onerror=alert(%27hello%27);%3E

Patch file is attached.

Cheers!



Fri, 10 Apr 2020 13:13:25 GMT - flx: attachment set


Fri, 10 Apr 2020 13:26:40 GMT - Antoine Martin: status changed; resolution set

Thanks, applied in r26077.


Tue, 14 Apr 2020 17:23:59 GMT - flx: summary changed


Sat, 23 Jan 2021 05:59:04 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2724