Brief summary of the bug. What is it ? Where is it ?
Adding new report to dashboard allows user to add external page, which will later be shown as a report displayed in an iframe. When the link to am external page is passed to the BE, the link itself is not validated to be a valid URL. This means the user can pass a script that would then be executed on page load. We should add validation on the saving of reports to make sure that external report can only be saved with valid URLs. Note that the UI already prevents this, but we should have this validation at API layer too.
Steps to reproduce:
Actual result:
- create a dashboard
- use "Add a Report" button
- in the modal go to "External URL" tab and use below code ad the URL
javascript:alert("SySS Stored XSS Proof of Concept within domain:\n\n"+document.domain)
- if you modify HTML to enable the button you can pass this script code to the server clicking on the "Add Report" button
Expected result:
An external report should not be saved if it contains a link that is not a valid URL
Testing Notes:
- Invalid URLs should not be able to be used when saving external reports on dashboards. You might need to modify the HTML to be able to test this in the UI
- QA note: button element should be enabled