justadreamer
commented
8 months ago Latest version of https://www.nuget.org/packages/FiftyOne.DeviceDetection (4.4.109) should address this
Closed justadreamer closed 8 months ago
justadreamer
commented
8 months ago Latest version of https://www.nuget.org/packages/FiftyOne.DeviceDetection (4.4.109) should address this
Background
The error message is echoing the parameter value that was in the wrong format: https://github.com/51Degrees/device-detection-dotnet/blob/e487c8649b0c52468b023c2a93b35f0e9c0fb4eb/FiftyOne.DeviceDetection/Messages.resx#L130. This apparently is there for the engineer convenience.
This will appear on a page that will never be visible to the user and will be consumed by javascript and at most the results can be made visible through debug logging.
However it may not be desirable as it causes some security scanners to false-alarm and mis-report the vulnerability. The POST body may deliberately contain the URL-encoded HTML piece, that will be url-decoded and quoted in the response. It will then be detected by the scanner and make the alarm go off.
Fix
Let's remove quoting the wrong value of the parameter in the response - that will not let the HTML injection to happen. Even though on the invisible page it does not do any harm.