Summary
Currently, the preloaded data as json is not escaped correctly, the administrator / event admin could break their own install by inserting non correctly escaped text.
To be noted, the Content-Security-Policy directive block any potential script execution.
Details
The administrator or event administrator, can override the texts for customization purpose. The texts are not properly escaped.
PoC
Enter as a admin in the System configuration, Internationalization tab.
In the first entry "alfio.credits" enter the following text: "</script><script>.
Go to the page of an event: you will get an empty page with the following errors in the console:
Refused to execute inline script because it violates the following Content Security Policy directive
and
SyntaxError: Unterminated string in JSON at position 26356 (line 1 column 26357)
Summary
Currently, the preloaded data as json is not escaped correctly, the administrator / event admin could break their own install by inserting non correctly escaped text.
To be noted, the Content-Security-Policy directive block any potential script execution.
Details
The administrator or event administrator, can override the texts for customization purpose. The texts are not properly escaped.
PoC
Enter as a admin in the System configuration, Internationalization tab.
In the first entry "alfio.credits" enter the following text:
"</script><script>.Go to the page of an event: you will get an empty page with the following errors in the console:
Refused to execute inline script because it violates the following Content Security Policy directive
and
SyntaxError: Unterminated string in JSON at position 26356 (line 1 column 26357)