Allowed_html configuration not working in OJS version 3.3.0.11

abmishra · October 30, 2022, 6:17am

Hi There,

I have installed OJS version 3.3.0.11 and found following issue in this version:

I am able to insert input value by using input field in dashboard. Please see the attachment 1.png .
The code got executed on Journal Management Setting page. Please see the attachment 2.png .

Please help us regarding this issue.

Thanks,
Abhay

rcgillis · October 30, 2022, 1:05pm

If you’re using custom scripts, a better approach might be to use the custom header plugin. I don’t think it will work in the way that you’ve done it within the existing settings forms in OJS. This thread provides a good overview of the plugin and how its used: Use Case/Examples for Custom header plugin for OJS - #8 by asmecher

-Roger
PKP Team

primozs · October 30, 2022, 4:05pm

@rcgillis I guess the intention of this post is not a usage of custom scripts, but a bug report. See the other post: Allowed html tag issue

asmecher · October 31, 2022, 12:25am

Hi @abmishra,

In the future, if you think you may be encountering a security issue, please follow the instructions here:

github.com

pkp/ojs/blob/main/SECURITY.md

# Security Policy

## Supported Versions

| Version | Supported                                             | End Of Life   |
| ------- | ----------------------------------------------------- | ------------- |
| 3.4.x   | :heavy_check_mark: Active development                 |               |
| 3.3.x   | :heavy_check_mark: Active maintenance                 |               |
| 3.2.x   | :white_check_mark: Security only                      |               |
| 3.1.x   | :white_check_mark: Security only; upgrade recommended |               |
| 3.0.x   | :white_check_mark: Security only; upgrade recommended |               |
| 2.x     | :x: Not supported                                     | 2021          |
| 1.x     | :x: Not supported                                     | 2005 (approx) |

## Reporting a Vulnerability

To report a vulnerability, please contact PKP privately using: pkp.contact@gmail.com

You can expect a response via email to acknowledge your report within 2 working days.

This file has been truncated. show original

I’ve entered <script>alert(1)</script> in the “Preferred Public Name” field, but do not see the alert as you report. Can you check the page source to see where the <script>alert(1)</script> is being served and interpreted? (Is it possible you were entering the same script in another field that may be responsible?)

Regards,
Alec Smecher
Public Knowledge Project Team