#xss

### Impact Users with access to the administration panel with page editing permissions could insert `<script>` tags in markdown fields, which are exposed on the publicly accessible site pages, leading to potential XSS injections. ### Patches - [**Formwork 1.13.0**](https://github.com/getformwork/formwork/releases/tag/1.13.0) has been released with a patch that solves this vulnerability. Now the system config option `content.safe_mode` (enabled by default) controls whether HTML tags and potentially dangerous links are escaped. This is configurable as in some cases more flexibility should be given. Panel users should be only a controlled group of editors, which cannot enable the option by themselves, and not a generic group. This mitigates the chance of introducing vulnerabilities. - [**Formwork 2.x** (6adc302)](https://github.com/getformwork/formwork/commit/6adc302f5a294f2ffbbf1571dd4ffea6b7876723) adds a similar `content.safeMode` system option. Like Formwork 1.13.0, by default HTML ...

HAWKI version 1.0.0-beta.1 before commit 146967f suffers from cross site scripting, arbitrary file overwrite, and session fixation vulnerabilities.

Ubuntu Security Notice 6788-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

Police are using subtle psychological operations against ransomware gangs to sow distrust in their ranks—and trick them into emerging from the shadows.

Authenticated user with page edit permission can craft HTML, which when rendered in a page history comparison can execute client scripts.

RedirectorPage will allow users to specify a non-url malicious script as the redirection path without validation. Users which follow this url may allow this script to execute within their browser.

In follow up to [SS-2016-001](https://www.silverstripe.org/download/security-releases/ss-2016-001/) there is yet a minor unresolved fix to incorrectly encoded URL.

silverstripe/framework is vulnerable to XSS in Page name where the payload `"><svg/onload=alert(/xss/)>` will trigger an XSS alert.

List of key / value pairs assigned to `OptionsetField` or `CheckboxSetField` do not have a default casting assigned to them. The effect of this is a potential XSS vulnerability in lists where either key or value contain unescaped HTML.

The core template `framework/templates/Includes/GridField_print.ss` uses "Printed by $Member.Name". If the currently logged in members first name or surname contain XSS, this prints the raw HTML out, because Member->getName() just returns the raw FirstName + Surname as a string, which is injected directly.