Issue #1227 describes a XSS vulnerability on the about page of cherokee-admin.
While the report by LogicalTrust only describes a JavaScript variant, a CSS method could also be probed via logo.gif.
The root cause is the request being verbatim copied in to the HTML template. The request could be escaped, but leads to the question: Why are we presenting a full path, instead of a
relative path to the page? This change removes the full path, and makes it relative. No URL is being printed in the template, and the XSS is avoided and therefore it should also be
faster.
Issue #1227 describes a XSS vulnerability on the about page of cherokee-admin. While the report by LogicalTrust only describes a JavaScript variant, a CSS method could also be probed via logo.gif.
The root cause is the request being verbatim copied in to the HTML template. The request could be escaped, but leads to the question: Why are we presenting a full path, instead of a relative path to the page? This change removes the full path, and makes it relative. No URL is being printed in the template, and the XSS is avoided and therefore it should also be faster.