fluffy-critter
commented
1 year ago I've added a SECURITY.md as requested.
Note that webmention.js is just reformatting data that comes from webmention.io, and that is responsible for doing any data sanitization, so if the issue is with the webmention endpoint allowing the injection of <script> et al, I'm aware but that's a low priority to fix on the client side.
Hello 👋
I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@tyage) has found a potential issue, which I would be eager to share with you.
Could you add a
SECURITY.mdfile with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.Looking forward to hearing from you 👍
(cc @huntr-helper)