Fix cross-site scripting vulnerability - Githubissues

NCIOCPL / clinical-trials-listing-api

API for Clinical Trial (Dynamic) Listing Pages

2 stars 2 forks source link

Fix cross-site scripting vulnerability #44

Closed blairlearn closed 3 years ago

blairlearn commented 3 years ago

Issue description

Error messages should not return user inputs. This opens a potential for cross-site scripting vulnerabilities.

ESTIMATE TBD

Steps to reproduce the issue

Browse to http://localhost:5000/listing-information/get?ccode=ccode=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Eorder(66)%3C/scRipt%3E

What's the expected result?

A message stating the requested item(s) wasn't found.

What's the actual result?

{"Message":"Could not find codes 'ccode='\"--></style></scRipt><scRipt>order(66)</scRipt>'."}

The key part being <scRipt>order(66)</scRipt>

Additional details / screenshot

![Screenshot]()

Related Tickets

Issue #9999
Issue #9999

blairlearn commented 3 years ago

Fixed by 84ffbee21cea010cb8183d8f4cd871123544ed70