search

john / drive.vote

Drive the Vote arranges free rides to the polls on election day.
https://www.drive.vote/
14 stars 7 forks source link

/dispatch/[rz slug] - driver name double encoded in the google map #598

Open engerm opened 8 years ago

engerm commented 8 years ago

Description

A driver's name is double HTML Entity encoded.

See screen shot.

Version unknown https://dev.drive.vote

Steps

Create a driver with special characters in the name - e.g. <>"

Create a ride zone and assign driver the recently created driver to it

Navigate to ride zone's dispatch mode

Click on the driver in the map

Actual Results

Expected Results 1) The driver's name would not be double HTML entity encoded 2) The name would be properly encoded as to not permit XSS or Arbitrary HTML Injection

engerm commented 8 years ago
screen shot 2016-10-29 at 1 21 49 pm - driver name double encoded
john commented 8 years ago

This is fugly, but only affects users with abusive/silly usernames, so triaging to icebox