express-expose
express-expose copied to clipboard
XSS vulnerable
This module creates content for an inline <script>
tag. However, if anything in the content of that script tag includes </script>
, HTML5's parsing rules will prematurely end the tag there, allowing for XSS injection.
This module should modify any strings in the returned JSON (for keys or values) that include </script>
to be written as </"+"script>
.
I can't confirm whether this allows for an XSS injection vulnerability, but I do believe #34 fixes your concern.