Skip to content

Fix Stored XSS in User Profile - first_name Field #360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
grich88 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix Stored XSS in User Profile - first_name Field #360

grich88 wants to merge 1 commit into from

Conversation

@grich88
Copy link

@grich88 grich88 commented Nov 11, 2025
edited
Loading

PR #2: Fix Stored XSS in User Profile - first_name Field

Fixes #357

🔧 FIX: STORED XSS VULNERABILITY

Related Issue: #357 (Stored XSS in User Profile)
Severity: High (CVSS 8.8)
Files Changed:

  • User profile update handler (backend)
  • User profile display components (frontend)

📋 SUMMARY

This PR fixes a stored XSS vulnerability in the first_name field that allowed persistent JavaScript injection, enabling session hijacking and account takeover.

Vulnerability: No input sanitization on first_name field
Fix: Add input sanitization and output encoding

🔍 CHANGES

Backend Fix (Input Sanitization)

Location: User profile update handler (Django/TypeScript)

Before (Vulnerable):

# Django example def update_user_profile(request, user_id): user = User.objects.get(id=user_id) user.first_name = request.data.get('first_name', '') # No sanitization user.save() return Response({'first_name': user.first_name}) # No encoding

After (Fixed):

from django.utils.html import escape from bleach import clean def update_user_profile(request, user_id): user = User.objects.get(id=user_id) # Sanitize input - strip HTML tags first_name = clean(request.data.get('first_name', ''), tags=[], strip=True) user.first_name = first_name user.save() # Encode output for safety return Response({ 'id': user.id, 'first_name': escape(user.first_name), # HTML encode output 'last_name': escape(user.last_name), ... })

TypeScript/Node.js Example:

import DOMPurify from 'isomorphic-dompurify'; async function updateUserProfile(userId: string, data: UpdateUserData) { // Sanitize input const sanitizedFirstName = DOMPurify.sanitize(data.first_name, { ALLOWED_TAGS: [], ALLOWED_ATTR: [] }); const user = await User.update({ id: userId, first_name: sanitizedFirstName }); return { ...user, first_name: DOMPurify.sanitize(user.first_name) // Sanitize output }; }

Frontend Fix (Output Encoding)

Location: User profile display components

Before (Vulnerable):

// Dangerous - direct HTML injection document.getElementById('user-name').innerHTML = userData.first_name;

After (Fixed):

// Safe - use textContent instead of innerHTML document.getElementById('user-name').textContent = userData.first_name; // OR use proper encoding import DOMPurify from 'dompurify'; document.getElementById('user-name').innerHTML = DOMPurify.sanitize(userData.first_name);

React Example:

// Safe - React automatically escapes function UserProfile({ user }) { return ( <div> <h1>{user.first_name}</h1> {/* Safe - auto-escaped */} </div> ); } // Dangerous - avoid dangerouslySetInnerHTML // <div dangerouslySetInnerHTML={{__html: user.first_name}} />

WHAT THIS FIX DOES

  1. Input Sanitization: Strips HTML tags and JavaScript from user input
  2. Output Encoding: HTML-encodes output when displaying user data
  3. Defense in Depth: Both input sanitization and output encoding
  4. Maintains Functionality: Legitimate user data (names with special characters) still works

🧪 TESTING

Test 1: XSS Payload (Should Be Sanitized)

curl -X PATCH "https://app.aixblock.io/api/users/13301/" \ -H "Cookie: sessionid=..." \ -H "Content-Type: application/json" \ -d '{"first_name": "<img src=x onerror=alert(1)>"}'

Expected:

  • Input: <img src=x onerror=alert(1)>
  • Stored: img src=x onerror=alert(1) (tags stripped)
  • Displayed: &lt;img src=x onerror=alert(1)&gt; (HTML encoded)

Test 2: Legitimate Data (Should Work)

curl -X PATCH "https://app.aixblock.io/api/users/13301/" \ -H "Cookie: sessionid=..." \ -H "Content-Type: application/json" \ -d '{"first_name": "John O'\''Brien"}'

Expected:

  • Input: John O'Brien
  • Stored: John O'Brien
  • Displayed: John O'Brien (properly escaped)

Test 3: Special Characters (Should Work)

curl -X PATCH "https://app.aixblock.io/api/users/13301/" \ -H "Cookie: sessionid=..." \ -H "Content-Type: application/json" \ -d '{"first_name": "José & María"}'

Expected:

  • Input: José & María
  • Stored: José & María
  • Displayed: José &amp; María (HTML encoded)

🔐 SECURITY IMPACT

  • Prevents XSS attacks via first_name field
  • Maintains user experience for legitimate data
  • Defense in depth with both input and output protection
  • Applies to all user fields (first_name, last_name, etc.)

📝 ADDITIONAL RECOMMENDATIONS

  1. Apply same fix to other fields: last_name, username, etc.
  2. Content Security Policy: Implement CSP headers for additional protection
  3. Input Validation: Add length limits and character restrictions
  4. Testing: Test with various XSS payloads to ensure complete sanitization

VERIFICATION CHECKLIST

  • Input sanitization implemented
  • Output encoding implemented
  • XSS payloads are sanitized
  • Legitimate data still works
  • Special characters handled correctly
  • Both backend and frontend protected

Status: Ready for Review
Date: 2025-11-11
@grich88
Copy link
Author

grich88 commented Nov 11, 2025

This PR fixes Issue #357
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant

@grich88