If you're creating a bug/problem report, please include followings:
- ABP Framework version: v4.4.4
- UI type: Blazor
- DB provider: EF Core
- Tiered (MVC) or Identity Server Separated (Angular): Identity Server Separated
- Exception message and stack trace: No Exception
- Steps to reproduce the issue:"
Open link :
https://login.example.com/Account/Manage?returnUrl=data:;;;:;base64______%2CPHNDcklwdCA%2BcHJvbXB0KDk1ODYpPCAvU2NSaXBUP g==
After login, return to Application button href will run the injected base64 script instead of going back to application
<div class="mb-2 row"> <div class="col"> <a class="btn btn-primary" id="returnUrlLink" href="data:;;;:;base64______,PHNDcklwdCA+cHJvbXB0KDk1ODYpPCAvU2NSaXBUPg=="> <i class="fa fa-chevron-left mr-2"></i>Volver a la aplicación </a> </div> </div>
My Application is currently under Pentration Test by Government and they won't give me a license if I didn't solve this threat.
Regards,
5 Answer(s)
-
0
It is not login page, it is identityserver manage profile page right?
To be sure, can you share screenshot about the page and the link you are having problem with?
-
0
Yes it' identity server.
Here is the screen shot:
Thanks.
-
0
Thank you for your report.
I have created an internal issue about this. We will investigate.
-
0
Any News?
-
0
hi
https://github.com/abpframework/abp/pull/12569
