FlaskBlog Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in FlaskBlog versions through 2.8.1. The issue arises from improper sanitization of the 'postContent' variable when POST requests are made to '/createpost'. This flaw allows arbitrary execution of JavaScript on all pages where the post is displayed, including the homepage, individual post pages, the admin posts dashboard, and user profile pages. The vulnerability exists because the application fails to properly sanitize content on the server side before it is stored in the database, allowing malicious scripts to be executed in the context of the user viewing the post.

Impact

Exploitation of this vulnerability allows for the execution of JavaScript in the browser of any user who views a page containing the affected post. This could lead to the theft of sensitive user information or defacement of the website.

Reproduction

To reproduce this vulnerability, log in as a user and navigate to the '/createpost' page. Intercept the POST request and modify the 'postContent' parameter to include unescaped JavaScript, such as a script tag containing an alert. After submitting the post, visit any page that displays the post to observe the JavaScript execution, such as the homepage or the user's profile page.