Skip to content

Security Patches: IDOR and XSS Fixes#213

Open
arpit000010 wants to merge 83 commits into
RECursion-NITD:testingfrom
arpit000010:arpit-security-patch
Open

Security Patches: IDOR and XSS Fixes#213
arpit000010 wants to merge 83 commits into
RECursion-NITD:testingfrom
arpit000010:arpit-security-patch

Conversation

@arpit000010

Copy link
Copy Markdown

Changes Made:

  1. Fixed IDOR / Account Takeover Vulnerability
  • Issue: The LoginWithGoogleView API endpoint had a flaw where an attacker could create a Google account matching an existing username (e.g., admin) and hijack the account, receiving a valid JWT token for that user.
  • Fix: Added validation in user_profile/api/views.py to ensure that if a matching username exists but the Google email doesn't match the database email, the login is rejected with a 403 Forbidden error.
  1. Fixed Stored Cross-Site Scripting (XSS)
  • Issue: Markdown inputs in the Forum, Blog, and Events models did not strip malicious HTML tags, allowing attackers to inject JavaScript (e.g., <script> tags).
  • Fix: Installed the bleach and tinycss2 libraries. Implemented a sanitize_markdown utility function that safely strips malicious tags and attributes on the server-side before saving to the database.
  1. Dependency Updates
  • Added bleach[css]==6.2.0 and tinycss2==1.4.0 to requirements.txt.

apaul2077 and others added 30 commits December 11, 2025 20:56
fixed team member icon hover and layout issue and some other change
Made a few backend changes to facilitate registration and user creation
… fixed email link using previous domain name, blocked the old UI
finalised certain login/signup flow APIs, fixed password reset issue, fixed email link using previous domain name, blocked the old UI
Feat: Handle client_type during user registration for smart mobile app redirects
Revert "Feat: Add mobile client_type handling and deep-link redirects…
Feat: Enhance Google OAuth integration with client ID validation
Feat: Improve Google Login validation by enhancing client ID checks
Update README with project setup and contribution instructions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.