search

doubleface / cozy-databrowser

Cozy DataStytem search and vizualisation
Other
3 stars 9 forks source link

HTML is not escaped #41

Closed nicofrand closed 7 years ago

nicofrand commented 8 years ago

Any value should be escaped before inserted in the user interface.

Example:

There is a bug in the virginmobile konnector which causes the konnector's application to be redirected to virgin mobile's website if the password is incorrect.

The issue is that the same redirection is done in Databrowser when clicking on the Konnector line in the left menu.

Here is the content of the ImportErrorMessage which might cause this :

Parsing error : Unexpected token <, body= Parsing error : Unexpected token <, body= 
 <!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="1;url=https://espaceclient.virginmobile.fr/login" />

        <title>Redirecting to https://espaceclient.virginmobile.fr/login</title>
    </head>
    <body>
        Redirecting to <a href="https://espaceclient.virginmobile.fr/login">https://espaceclient.virginmobile.fr/login</a>.
    </body>
</html>