testing-playground icon indicating copy to clipboard operation
testing-playground copied to clipboard
verified publisher icon testing-library

HTML injection

Open geeknik opened this issue 5 years ago • 0 comments

Hello, we have found an HTML injection flaw: http://testing-playground.com/%22%0D%0A/%3E%3Ch1%3E%3Ca%20href%3Dhttps://geeknik-labs.com%3EYour%20password%20is%20currently%20expired,%20please%20click%20the%20link%20to%20update%20your%20information%3C/a%3E%3C/h1%3E/

We believe this line is to blame due to the lack of input validation on ${frameSrc}: https://github.com/testing-library/testing-playground/blob/082fd30c1f368f69174ebc97f9f03514d8ccf0ef/src/lambda/server/server.js#L35

geeknik avatar Dec 06 '20 16:12 geeknik