[Bug] XSS Vulnerability in /admin/users

[AmrealAbhishek]

Is this a support request?

• This is not a support request

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

There is a Cross-Site Scripting (XSS) vulnerability in the localhost.lugvitc.net/admin/users page. The application is not properly sanitizing user input, which allows attackers to inject arbitrary JavaScript into the page and execute it within the context of other users' browsers.

Expected Behavior

The input fields should properly sanitize all user input, especially special characters such as <, >, " and '. The application should escape any potentially malicious content to prevent script execution.

Steps To Reproduce

1. Navigate to the localhost.lugvitc.net/admin/users page.
2. In the input field (e.g., name or other parameters), input the following XSS payload:

• <input onfocus="alert(document.domain)" autofocus>
• <img src="x" onerror="console.log('XSS for every user: ', document.cookie)">
  Submit the form and observe that the alert XSS by amreal.in is triggered, indicating that the payload is executed.
  This shows that the application is vulnerable to XSS and does not sanitize the input.
  
  

Environment

- OS: ubuntu
- Headscale version:  Headscale-Admin v0.1.12b
- Tailscale version:

Runtime environment

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Anything else?

No response

[GoodiesHQ]

Very neat! I love this! It's much appreciated and I will address this on the next push.