A stored XSS vulnerability was discovered in the Category module of FastAPI-Admin. Malicious JavaScript code injected into a form field (e.g. Category Name) is stored in the backend and rendered without proper sanitization. When an admin or any user visits the category list or detail view, the script executes in their browser context.
Steps To Reproduce:
- Use browser to visit (https://fastapi-admin-pro.long2ice.io/admin/login): admin/123456
- Navigate to category and click on create button


3.insert <svg onload=alert(document.cookie)> in name field, click save, then browser popup cookie.


Mitigation & Recommendation:
### To prevent stored XSS and reduce the attack surface:
1. Input Sanitization:
• Sanitize all user-supplied input before storage using libraries like bleach in Python to strip/escape dangerous HTML/JavaScript content.
2. Output Encoding:
• Ensure all dynamic content is properly HTML-encoded before rendering into templates or views.
• Apply context-aware encoding (e.g., HTML, JS, URL) based on where the data is rendered.
3. Set HttpOnly on Cookies:
A stored XSS vulnerability was discovered in the Category module of FastAPI-Admin. Malicious JavaScript code injected into a form field (e.g. Category Name) is stored in the backend and rendered without proper sanitization. When an admin or any user visits the category list or detail view, the script executes in their browser context.
Steps To Reproduce:
3.insert
<svg onload=alert(document.cookie)>in name field, click save, then browser popup cookie.Mitigation & Recommendation:
### To prevent stored XSS and reduce the attack surface:
1. Input Sanitization:
• Sanitize all user-supplied input before storage using libraries like bleach in Python to strip/escape dangerous HTML/JavaScript content.
2. Output Encoding:
• Ensure all dynamic content is properly HTML-encoded before rendering into templates or views.
• Apply context-aware encoding (e.g., HTML, JS, URL) based on where the data is rendered.
3. Set HttpOnly on Cookies: