You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The "symbol" field, which is often accessible to any user of a smart contract when minting a new NFT, can be exploited for malicious purposes. A user could inject malicious JavaScript code via the "symbol" field, which might then be displayed in a web application, leading to an XSS attack—assuming the web application lacks output sanitization and a properly configured CSP (Content Security Policy).
In the field of cybersecurity, the principle of "Defense in Depth" applies, which emphasizes implementing mitigation mechanisms at every level of a system or application. Given that the "symbol" field is meant to represent only an abbreviated name for the NFT, it should not support an unlimited number of characters. Furthermore, careful consideration should be given to whether certain characters, such as < and >, should be permitted in this field.
openzeppelin-contracts/contracts/token/ERC721/ERC721.sol
Line 41 in ba8b5cf
The "symbol" field, which is often accessible to any user of a smart contract when minting a new NFT, can be exploited for malicious purposes. A user could inject malicious JavaScript code via the "symbol" field, which might then be displayed in a web application, leading to an XSS attack—assuming the web application lacks output sanitization and a properly configured CSP (Content Security Policy).
In the field of cybersecurity, the principle of "Defense in Depth" applies, which emphasizes implementing mitigation mechanisms at every level of a system or application. Given that the "symbol" field is meant to represent only an abbreviated name for the NFT, it should not support an unlimited number of characters. Furthermore, careful consideration should be given to whether certain characters, such as < and >, should be permitted in this field.
Example of an attack:
https://solodit.cyfrin.io/issues/insufficient-input-validation-on-sablierv2nftdescriptorsafeassetsymbol-allows-an-attacker-to-obtain-stored-xss-codehawks-sablier-git
The text was updated successfully, but these errors were encountered: