-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content filter profile - arg with "/" isn't decoded #1129
Labels
bug
Something isn't working
Comments
Notice how the |
If you want to test this, you must use |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
when I send arg
<script>
encoded with base 64 the arg is decoded and blocked. But when I send<script>alert()</script>
encoded with base64 the arg isn’t decoded and isn’t blocked.We don’t do decoding for args with “/”.
To Reproduce
Steps to reproduce the behavior:
curl -vv "[url]/t -H "host:default.site" -d "xc=PHNjcmlwdD5hbGVydCgpPC9zY3JpcHQ+"
Actual result: the request isn't blocked, we don't see encoded arg in logs.
![el 200](https://user-images.githubusercontent.com/56600129/207575894-eceb2d80-5308-4395-aa3e-4bdaa0b4c2a3.png)
Expected behavior
For example: if I send arg
<script>
, we see in Event log:The text was updated successfully, but these errors were encountered: