Closed kltm closed 3 years ago
It is currently possible to inject disrupting code into browse that could be used to create an XSS attack for users on bad links. For example, the following URLs illustrate this, disrupting the variable creation:
http://noctua-amigo.berkeleybop.org/amigo/browsenleb9%3cimg%20src%3da%20onerror%3dalert('should-not-be-seen')%3ewjmjm
http://noctua-amigo.berkeleybop.org/amigo/browse/GO%3a0022008fx9bw%3cimg%20src%3da%20onerror%3dalert('should-not-be-seen')%3esm07h
Also see #575
It is currently possible to inject disrupting code into browse that could be used to create an XSS attack for users on bad links. For example, the following URLs illustrate this, disrupting the variable creation:
http://noctua-amigo.berkeleybop.org/amigo/browsenleb9%3cimg%20src%3da%20onerror%3dalert('should-not-be-seen')%3ewjmjm
http://noctua-amigo.berkeleybop.org/amigo/browse/GO%3a0022008fx9bw%3cimg%20src%3da%20onerror%3dalert('should-not-be-seen')%3esm07h
Also see #575