You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Feb 26, 2023. It is now read-only.
Just thought about it: The Front-End should currently be vulnerable to XSS.
Not really a security concern because this software doesn't use sensitive data like passwords and everything that could be done via an injected script could as well just be done using a normal request without any further authorization.
But really in the end parameter input should be sanitized, the HTML should be escaped.
The only thing to discuss is whether or not we should do the escaping in the actual template or the users.js module, both would be possible, liquid provides an easy "escape"-filter while node doesn't really have a built-in function for that but it would be a single place to fix everything at the cost of a potentially higher complexity for more complicated URL parameters.
The text was updated successfully, but these errors were encountered:
Just thought about it: The Front-End should currently be vulnerable to XSS.
Not really a security concern because this software doesn't use sensitive data like passwords and everything that could be done via an injected script could as well just be done using a normal request without any further authorization.
But really in the end parameter input should be sanitized, the HTML should be escaped.
The only thing to discuss is whether or not we should do the escaping in the actual template or the users.js module, both would be possible, liquid provides an easy "escape"-filter while node doesn't really have a built-in function for that but it would be a single place to fix everything at the cost of a potentially higher complexity for more complicated URL parameters.
The text was updated successfully, but these errors were encountered: