[bisq-network/bisq-markets] html escape values passed in by ?callback param (#12)
peertrade
notifications at github.com
Tue Jul 10 03:22:41 UTC 2018
This PR fixes a possible XSS vector via the ?callback parameter in the hloc and volumes APIs.
Previously these values were output to the caller unescaped.
The fix also does minor sanitation of the callback value, which is intended for use by the graph component of the website and should always start with "jQuery".
You can view, comment on, or merge this pull request online at:
https://github.com/bisq-network/bisq-markets/pull/12
-- Commit Summary --
* html escape values passed in by ?callback param before output to browser. also validate callback param input
-- File Changes --
M api/hloc/index.php (9)
M api/volumes/index.php (8)
-- Patch Links --
https://github.com/bisq-network/bisq-markets/pull/12.patch
https://github.com/bisq-network/bisq-markets/pull/12.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq-markets/pull/12
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20180709/487e61f9/attachment.html>
More information about the bisq-github
mailing list