Potential security issue (XSS in Accept header)

[pich4ya]

The HTTP response returns unsanitized value from Accept header. This may allow the attacker to conduct cross-site scripting attack. Technically, the likelihood of exploiting this is very low. It requires the victim to use Internet Explorer with MIME sniffing feature enabled, on top of that, setting the these headers to the victim's request is not really possible from my knowledge. However, I believe it is worth sanitize user input here.

GET /xxx HTTP/1.1
Accept: xxx_<script>alert(/XSS/)</script>_yyy
Host: example.com
Connection: close

HTTP/1.1 406 Not Acceptable
Content-Type: text/plain
...

tigertonic.MarshalerError: Accept header "xxx_<script>alert(/XSS/)</script>_yyy" does not allow "application/json"

The underlying code is as follows: https://github.com/rcrowley/go-tigertonic/blob/master/marshaler.go

	if !isReader && !acceptJSON(r) {
		ResponseErrorWriter.WritePlaintextError(w, NewHTTPEquivError(NewMarshalerError(
			"Accept header %q does not allow \"application/json\"",
			r.Header.Get("Accept"),
		), http.StatusNotAcceptable))
		return
	}