Fwd: BUG #14998: XXS vulnerabilities in PostgreSQL 'utf8 4-byte truncation'

Hi Andres,

My application uses PostgreSQL 9.6.2:

[image: Inline image 1]

When we try inputing to my application as the below:
[image: Inline image 3]
The result:
[image: Inline image 5]
=> That is WordPress < 4.1.2 Stored XSS vulnerability
<https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/>.

As far as I know, this error is fixed by using MySQL's strict mode. For
PostgreSQL, can there be any other way?

We appreciate your help in this matter and look forward to hearing from you
soon.

Thanks,
Thu Luu

On Thu, Jan 4, 2018 at 11:22 AM, Andres Freund <andres(at)anarazel(dot)de> wrote:

> On 2018-01-04 04:19:19 +0000, PG Bug reporting form wrote:
> > The following bug has been logged on the website:
> >
> > Bug reference: 14998
> > Logged by: Thu Luu
> > Email address: ltthu2810(at)gmail(dot)com
> > PostgreSQL version: 9.6.2
> > Operating system: CentOs 6.x
> > Description:
> >
> > My application uses the Postgresql 9.6.2. But, when I use the tool to
> scan
> > the vulnerabilities. There are some errors related to DB: 'MYSQL utf8
> 4-byte
> > truncation'.
> > Refer:
> > https://www.acunetix.com/vulnerabilities/web/mysql-utf8-4-by
> te-truncation
>
> Postgres is not mysql, and to my knowledge does not suffer from an
> equivalent vulnerability. So this more looks like a weakness in your
> scanning tool.
>
> Greetings,
>
> Andres Freund
>