Closed Ryuske closed 13 years ago
Blocked: The API has legitimate HTML in it, so until that is changed, there is no way to fix this.
The API should not have HTML in it IMO.
But - I guess the question is - are we using any of the fields that have HTML in it?
We've resolved this by no longer using the one field that returns HTML.
By doing this - we can now put it towards a deprecation page.
PoC: If you built the same file structure on a remote host as is on the dealertrend api server, and then in the inventory feeds placed XSS somewhere in one of the fields that are output. And then if you changed the backend URL to your rouge API URL your XSS would be persistent on the inventory listings