09-13-2024, 06:37 PM
(09-13-2024, 05:58 PM)TheOldPresbyope Wrote: So with XSS detection enabled, I regenerated the library using my modest collection of ca. 600 albums. Got several dozen hits based on detection of "<", "(", and "=".
Examples:
Code:20240913 132330 SECCHK: XSS character detected: tag|value: Composer|<Various Composers>
...
20240913 132330 SECCHK: XSS command detected: tag|value: Title|Marguerite (Albumblatt) for violin & piano (transcription of work by Rachmaninov)
...
20240913 132330 SECCHK: XSS character detected: tag|value: Title|Let X=X
...
20240913 132330 SECCHK: XSS character detected: tag|value: Comment|fre:ac - free audio converter <https://www.freac.org/>
...
All in all, detection and reporting seems to be working (though calling out Laurie Anderson for her iconic Let x=x just feels so wrong<grin>).
Still, from a system perspective, the more important part of your recent security changes is the tightening of the webUI code. Too bad it's invisible to the casual user but it is definitely an improvement.
Regards,
Kent
Parenthesis are not part of the regex but 'script' is an XSS command. It's in the work 'transcription'. I'll have to refine the XSS command detection so that normal words don't trigger detection.