Skip to content

[Security]: Implement output escaping for user data in UI #336

New issue
New issue
Closed
Bug
#337
Closed
[Security]: Implement output escaping for user data in UI#336
Bug
#337
Assignees
crivetimihai
Labels
bugSomething isn't workingsecurityImproves securitytriageIssues / Features awaiting triage
Milestone
Release 0.4.0
@crivetimihai

Description

@crivetimihai
crivetimihai
opened on Jul 9, 2025

🐞 Bug Summary

User-controlled data in admin UI is not properly escaped.

🧩 Affected Component

  • mcpgateway - UI (admin panel)

🔁 Steps to Reproduce

  1. Navigate to admin panel and access "Global Prompts" section
  2. Click "Add new prompt"
  3. Enter malicious payload in Template field: <img src=x onerror="alert('test)">
  4. Save the prompt
  5. View the prompt details by clicking the "View" button
  6. Script executes in browser context

🤔 Expected Behavior

User input should be properly escaped and displayed as text content without executing any embedded scripts.

📓 Logs / Error Output

No server-side errors. Client-side JavaScript alert executes.

🧩 Additional Context (optional)

  • Affects admin interface integrity
  • Potential for session hijacking or unauthorized admin actions
  • Similar escaping issues may exist in other user data display areas
  • Admin-only access reduces attack surface but still poses privilege escalation risk

Note: UI can be disabled through feature flag, and listen on local host by default, which significantly reduces exposure in typical deployments where input sanitization is performed by application.

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingsecurityImproves securitytriageIssues / Features awaiting triage

Type

Bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions