Add escaping for bad platform string.

GitbookIO / nuts

:chestnut: Releases/downloads server with auto-updater and GitHub as a backend

http://nuts.gitbook.com

Apache License 2.0

1.25k stars 300 forks source link

Add escaping for bad platform string. #138

Open flohdot opened 7 years ago

flohdot commented 7 years ago

Mitigates XSS on bad download URLs such as https://YOUR.NUTS.URL/download/version/2.0.0/%3Cimg%20src=x%20onerror=alert(1)%3E and https://YOUR.NUTS.URL/download/channel/alpha/%3Cimg%20src=x%20onerror=alert(1)%3E

I don't see anywhere I could just insert a test for this in the existing suite.

wallymathieu commented 6 years ago

Thanks!

loprima-l commented 1 year ago

Hi, I merged the project to a new repo to start maintain it, I would be glad if you can put your pull request here : https://github.com/loprima-l/nuts-2