SachaG
commented
3 months ago I think we can use an allow-list, since we know in advance every valid value for that parameter?
Closed eric-burel closed 1 month ago
SachaG
commented
3 months ago I think we can use an allow-list, since we know in advance every valid value for that parameter?
eric-burel
commented
1 month ago I've double checked and it's ok for the state of js, if your lang doesn't exist it will use the default one
We should block requests with absurd "lang" dynamic parameter (= first param of the URL in surveyform), typically people trying to shove SQL injections into route parameters The lang param seems to end up being used as a Redis key even if not valid