Open AlexDaniel opened 5 years ago
Go here: https://modules.perl6.org/search/?q=foo You will find a module called ../Foo.
../Foo
Clicking on it leads to this url:
https://modules.perl6.org/Foo:github:Aleks-Daniel%20Jakimenko-Aleksejev
Instead of something like this (where ../ needs to be escaped):
../
https://modules.perl6.org/dist/../Foo:github:Aleks-Daniel%20Jakimenko-Aleksejev
If I understand correctly, that's not a vulnerability by itself. I think links constructed with url_for can't have custom unescaped html in them. But it's still something that needs to be fixed.
url_for
Go here: https://modules.perl6.org/search/?q=foo You will find a module called
../Foo
.Clicking on it leads to this url:
Instead of something like this (where
../
needs to be escaped):If I understand correctly, that's not a vulnerability by itself. I think links constructed with
url_for
can't have custom unescaped html in them. But it's still something that needs to be fixed.