JS-Injection and PHP error on Live Demo https://jeditable.elabftw.net/

[HoffmannTom]

Description

The website https://jeditable.elabftw.net/ provides some sample input fields.
The example website has problems with JS-injection and is missing escaping.

How to reproduce

If I use the "Basic minimal example" I can enter e.g. the string "test <script>alert("hello")</script> & üö"
After pressing enter button, an alert message appears (JS-injection) and also a PHP-error is shown:
Warning: Undefined array key "slow" in /var/www/html/demos/save.php on line 3 Warning.

Expected result

The script tag and all special characters should be treated correctly.

Actual result

Alert is shown and PHP error occurs

Environment

jQuery version:
Browser: Chrome 90
OS: Win10

[NicolasCARPi]

Hello,

Thank you for bringing this to my attention. It is true that when I made that Docker image/demo site I didn't really consider security... I'll look into it ASAP.

In the meantime, if you're interested in XSS and other potential security issues, please have a look at https://github.com/elabftw/elabftw (and the online demo: https://demo.elabftw.net) and if you find a valid security issue, there will be a little reward ;)

Cheers,
~Nico