Your browser was unable to load all of the resources. They may have been blocked by your firewall, proxy or browser configuration.
Press Ctrl+F5 or Ctrl+Shift+R to have your browser try again.

QuickBuild

How to block execute script code #4517

#1
jintaeson ·

Hi,
We found that scripts are executable for all input fields.
Can I block that feature?

  1. Trigger build.
  2. Move build overview > Edit Description > "" > save
  3. Refresh page.
  4. "Alert XSS"
  • replies 3
  • views 502
  • stars 0
#2
robinshen ADMIN ·

To turn it off, make sure to disable "Script Allowed" in all assigned groups. Nevertheless, adminsitrator can always run scripts.

1 Reply
1 #3
jintaeson ·

It's basically disabled.
QB version : 11.0.33

  1. Move build overview > Edit Description > select "source" > input "<script>alert("XSS")" > save
  2. Alert "XSS"
#4
robinshen ADMIN ·

Applications like QB should be used in a trust environment, and I think such issue is tolerable. Even if this is disabled, you still can not prevent users from running arbitrary logic as long as they are allowed to create configurations, as they can checkout from any desired source.

Log in to reply