Open AlexDaniel opened 5 years ago
Go here: https://modules.perl6.org/search/?q=foo You will find a module called ../Foo.
../Foo
Clicking on it leads to this url:
https://modules.perl6.org/Foo:github:Aleks-Daniel%20Jakimenko-Aleksejev
Instead of something like this (where ../ needs to be escaped):
../
https://modules.perl6.org/dist/../Foo:github:Aleks-Daniel%20Jakimenko-Aleksejev
If I understand correctly, that's not a vulnerability by itself. I think links constructed with url_for can't have custom unescaped html in them. But it's still something that needs to be fixed.
url_for
Go here: https://modules.perl6.org/search/?q=foo You will find a module called
../Foo.Clicking on it leads to this url:
Instead of something like this (where
../needs to be escaped):If I understand correctly, that's not a vulnerability by itself. I think links constructed with
url_forcan't have custom unescaped html in them. But it's still something that needs to be fixed.