There are some issues with the examples such as a potential XSS. So if somebody does a composer install and the examples folder is accessible from the web root they will unintentionally make their application insecure.
I don't really have the time to go through the whole example set and properly test what escaping is required in what case. So what I did for now was just moving the file to the PHPS extension which will usually only display the source in a browser but not execute it.
klali
commented
7 years ago
There are some issues with the examples such as a potential XSS. So if somebody does a
composer installand the examples folder is accessible from the web root they will unintentionally make their application insecure.I don't really have the time to go through the whole example set and properly test what escaping is required in what case. So what I did for now was just moving the file to the PHPS extension which will usually only display the source in a browser but not execute it.
Ref https://github.com/Yubico/php-u2flib-server/issues/38, https://hackerone.com/reports/192786
Signed-off-by: Lukas Reschke lukas@statuscode.ch