enhanced-github icon indicating copy to clipboard operation
enhanced-github copied to clipboard

Published 20 hours ago verified publisher icon softvar

Resolve XSS vulnerability

Open zanothis opened this issue 3 years ago • 3 comments

Fixes #43, #96

zanothis avatar Oct 14 '21 20:10 zanothis

Hey @zanothis , Thanks for your contribution.

Could you please explain the changes and how they solve the XSS vulnerability?

softvar avatar Dec 09 '21 10:12 softvar

#43 & #96 were caused because the file names started with a " which allows for constructing a filename like "><iframe src="...">.png resulting in an iframe being injected into the page. By using encodeURIComponent, the filename is transformed into a safe string to be injected into the download attribute.

zanothis avatar Dec 09 '21 17:12 zanothis

@softvar any news on this? Or has the vulnerability been fixed somewhere else?

PedroHase avatar Sep 29 '22 09:09 PedroHase