XSS potential on bank account read screen

balanced / balanced-dashboard

The Balanced dashboard.

https://dashboard.balancedpayments.com/

Other

2.29k stars 385 forks source link

XSS potential on bank account read screen #1644

Closed etipton closed 2 years ago

etipton commented 9 years ago

Via the API, we describe our transactions as "Payment from <tenant: id:[tenant_id]> to <landlord: id:[landlord_id]>" but this isn't being HTML-escaped in the dashboard:

screen shot 2015-03-05 at 12 50 48 am

screen shot 2015-03-05 at 12 52 27 am

cohitre commented 9 years ago

Nice catch! Fixed.

etipton commented 9 years ago

Great, thanks!