Sanitize dynamic parameters

Open eric-burel opened this issue 1 year ago • 1 comments

We should block requests with absurd "lang" dynamic parameter (= first param of the URL in surveyform), typically people trying to shove SQL injections into route parameters The lang param seems to end up being used as a Redis key even if not valid

Jul 18 '24 07:07 eric-burel

I think we can use an allow-list, since we know in advance every valid value for that parameter?

Jul 18 '24 10:07 SachaG

I've double checked and it's ok for the state of js, if your lang doesn't exist it will use the default one

Oct 01 '24 15:10 eric-burel