XSS from GitHub <script>alert(1)</script>

[marsrobertson]

https://gitcoin.co/issue/kleros/hackathon/1/2824

It fetches content from GitHub issue, that has some XSS...

It only took me half a year to report.

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

This issue now has a funding of 0.4 ETH (50.67 USD @ $126.68/ETH) attached to it.

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
• Want to chip in? Add your own contribution here.
• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $68,225.11 more funded OSS Work available on the Gitcoin Issue Explorer

[gitcoinbot]

⚡️ A tip worth 0.20000 ETH (25.34 USD @ $126.68/ETH) has been granted to @marsrobertson for this issue from @owocki. ⚡️

Nice work @marsrobertson! Your tip has automatically been deposited in the ETH address we have on file.

• $68225.11 in Funded OSS Work Available at: https://gitcoin.co/explorer
• Incentivize contributions to your repo: Send a Tip or Fund a PR
• No Email? Get help on the Gitcoin Slack

[gitcoinbot]

⚡️ A *Bug Finder* Kudos has been sent to @marsrobertson for this issue from @owocki. ⚡️ Nice work @marsrobertson! Your Kudos has automatically been sent in the ETH address we have on file.

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

Work has been started.

These users each claimed they can complete the work by 1 week, 5 days from now.
Please review their action plans below:

1) mul53 has been approved to start work.

Hi, i have looked around and found one of the areas not been escaped is the Submit A Plan field. I will look around more and make fixes if approved.

Learn more on the Gitcoin Issue Details page.

[marsrobertson]

That is very kind, didn't expect a tip!

(yeah, it took only HALF YEAR to report as a bug)

[mul53]

@owocki, i want to create a bounty in the test environment. It says Please enable this token to proceed.. On the /settings/token page under tokens there is no ETH. What steps should i take?

[mul53]

Hey @owocki is there a reason this middleware was commented out, when its included the input entered by users is escaped which prevents a XSS attack.

web/app/app/settings.py

Line 131 in ff1a890

# 'app.middleware.bleach_requests',

[kuhnchris]

I think it caused issues with other parts of the page, @thelostone-mc @danlipert you guys remember why we disabled that?

[danlipert]

@kuhnchris @mul53 yeah, it was causing issues in quite a few places so we ended up disabling it

[gitcoinbot]

@mul53 Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

• reminder (3 days)
• escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

[mul53]

Alright, i will just add pre_save callback to escape fields before save

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

Work for 0.4 ETH (51.69 USD @ $129.23/ETH) has been submitted by:

1. @mul53

@owocki please take a look at the submitted work:

• PR by @mul53

---

• Learn more on the Gitcoin Issue Details page
• Want to chip in? Add your own contribution here.
• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $66,386.64 more funded OSS Work available on the Gitcoin Issue Explorer

[mul53]

Hey what’s the status on this, I’m kinda locked up on the number of bounties I can pick up.

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

The funding of 0.4 ETH (56.22 USD @ $140.54/ETH) attached to this issue has been approved & issued to @mul53.

Additional Tips for this Bounty:

• owocki tipped 0.2000 ETH worth 28.11 USD to marsrobertson.

---

• Learn more on the Gitcoin Issue Details page
• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $68,660.73 more funded OSS Work available on the Gitcoin Issue Explorer