CVE-2022-4642: Unsanitized input · Issue #3002 · Tatoeba/tatoeba2

The profile name field on the website does not properly sanitize user input. For example, I was able to insert a picture as well as a JavaScript popup box into my profile name. This can allow for XSS attacks, which could lead to things such as sensitive information being stolen or the user’s account being taken over.

The website also does not properly sanitize data input for the following fields: sentence reviews, sentence languages, profile languages, profile language levels, and birthday year. However, these issues are less severe since they appear to only allow for invalid data to be entered, and not malicious code execution. Inputting invalid data into these fields also requires the user to send an edited HTTP post request, which is less likely to happen than simply inputting data into the profile name field.

Steps To Reproduce:
Unsanitized name input

1. Open “https://dev.tatoeba.org/user/edit_profile” while being logged in.
2. In the “Name” field, insert some html code (for example <script>alert(“hello”)</script>) and then save.
3. Now when someone visits your profile, your name will display whatever html code you inserted.

Unsanitized HTTP posts

1. Perform an action on the website that sends a HTTP post request.
2. Log and save the HTTP post request that is sent (for example, using the developer tools in your web browser).
3. Edit the saved HTTP post request and change some of the values.
4. Send the edited HTTP post request to the website again.

I am not a security expert or web developer, so my understanding of these issues and their potential risks may be inaccurate. There may be other input fields on the website that do not properly sanitize user input. This bug report only covers what I have found.