Open asgrim opened 9 years ago
Similar issue here, but much more obvious:
You are storing unfiltered input into the cache - do you trust this data? (probably not, because it is from an external source).
Sorry, I don't know how I would make the json api return safe.
https://github.com/davidyell/CakePHP-CurrencyExchange/blob/3.x/src/Console/Command/RatesShell.php#L53
I'm not sure what happens under the hood as I'm not a Cake dev, but it looks like
$this->args[0]
is being used completely unfiltered. Always filter input and escape output :)