Thank you for your donation!


Cloudsmith graciously provides open-source package management and distribution for our project.


Thread Closed 
Upcoming moOde 9.1.0 release
#14
(09-13-2024, 05:58 PM)TheOldPresbyope Wrote: So with XSS detection enabled, I regenerated the library using my modest collection of ca. 600 albums. Got several dozen hits based on detection of "<", "(", and "=".

Examples:


Code:
20240913 132330 SECCHK: XSS character detected: tag|value: Composer|<Various Composers>
...
20240913 132330 SECCHK: XSS command detected: tag|value: Title|Marguerite (Albumblatt) for violin & piano (transcription of work by Rachmaninov)
...
20240913 132330 SECCHK: XSS character detected: tag|value: Title|Let X=X
...
20240913 132330 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
...


All in all, detection and reporting seems to be working (though calling out Laurie Anderson for her iconic Let x=x just feels so wrong<grin>).

Still, from a system perspective, the more important part of your recent security changes is the tightening of the webUI code. Too bad it's invisible to the casual user but it is definitely an improvement.

Regards,
Kent

Parenthesis are not part of the regex but 'script' is an XSS command. It's in the work 'transcription'. I'll have to refine the XSS command detection so that normal words don't trigger detection.
Enjoy the Music!
moodeaudio.org | Mastodon Feed | GitHub


Messages In This Thread
Upcoming moOde 9.1.0 release - by Tim Curtis - 09-06-2024, 08:55 PM
RE: Upcoming moOde 9.1.0 release - by Tim Curtis - 09-07-2024, 04:16 PM
RE: Upcoming moOde 9.1.0 release - by Tim Curtis - 09-09-2024, 09:47 PM
RE: Upcoming moOde 9.1.0 release - by Tim Curtis - 09-12-2024, 02:16 PM
RE: Upcoming moOde 9.1.0 release - by Tim Curtis - 09-12-2024, 03:58 PM
RE: Upcoming moOde 9.1.0 release - by Tim Curtis - 09-12-2024, 06:13 PM
RE: Upcoming moOde 9.1.0 release - by Tim Curtis - 09-13-2024, 01:54 PM
RE: Upcoming moOde 9.1.0 release - by kurt1970 - 09-13-2024, 04:37 PM
RE: Upcoming moOde 9.1.0 release - by Tim Curtis - 09-13-2024, 04:42 PM
RE: Upcoming moOde 9.1.0 release - by Tim Curtis - 09-13-2024, 06:37 PM
RE: Upcoming moOde 9.1.0 release - by Sehnsucht - 09-13-2024, 10:46 PM
RE: Upcoming moOde 9.1.0 release - by Tim Curtis - 09-14-2024, 10:23 AM
RE: Upcoming moOde 9.1.0 release - by Tim Curtis - 09-14-2024, 12:51 PM
RE: Upcoming moOde 9.1.0 release - by Tim Curtis - 09-14-2024, 01:16 PM
RE: Upcoming moOde 9.1.0 release - by Tim Curtis - 09-14-2024, 03:12 PM
RE: Upcoming moOde 9.1.0 release - by Tim Curtis - 09-14-2024, 07:26 PM
RE: Upcoming moOde 9.1.0 release - by LeighP - 09-14-2024, 07:04 PM
RE: Upcoming moOde 9.1.0 release - by Tim Curtis - 09-14-2024, 08:54 PM
RE: Upcoming moOde 9.1.0 release - by Tim Curtis - 09-14-2024, 08:54 PM

Forum Jump: