Closed kltm closed 3 years ago
It is currently possible to inject disrupting code into the bookmark variable that could be used to create an XSS attack for users on bad links. For example, the following URLs illustrate this, disrupting the variable creation:
bookmark
http://amigo-exp.geneontology.io/amigo/search/annotation?bookmark=%3C/script%3E%3Cscript%3Ealert('SHOULD-NOT-BE-SEEN')%3C/script%3E
I would expect a similar pattern to #608 , with a similar fix.
Nope, not an HTML template issue, but internal like some of the earlier sanitation issues.
Looking good I think; clearing.
It is currently possible to inject disrupting code into the
bookmark
variable that could be used to create an XSS attack for users on bad links. For example, the following URLs illustrate this, disrupting the variable creation:http://amigo-exp.geneontology.io/amigo/search/annotation?bookmark=%3C/script%3E%3Cscript%3Ealert('SHOULD-NOT-BE-SEEN')%3C/script%3E
I would expect a similar pattern to #608 , with a similar fix.