Hi,
I have created table:
CREATE TABLE "<h1 onmouseover='alert(1);'>x" (
id serial
);
In sidebar I expanded "Tables" and i moved my mouse to table "X". In
that case I received javascript alert.
XSS works when i put malicious code into index name or column name:
CREATE TABLE a (id serial);
CREATE INDEX "<h1 onmouseover='alert(1);'>idx" ON a(id);
CREATE TABLE b ("<h1 onmouseover='alert(1);'>column" serial);
During removal index or table still see JavaScript alert. And last
one, in "Properties" tab.
All chars like <, >, ", '. should be filtered in names of tables,
columns, indexes.
Tested on: Pgadmin4 1.0-beta3, Windows 7 x64, Server: PostgreSQL 9.5.3
on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat
4.8.5-4), 64-bit
Regards,
Krzysztof Otręba