loueranta-paytrail
commented
5 months ago @mikkorantalainen Thanks for pointing out the potential vulnerability, we will fix it!
Open mikkorantalainen opened 6 months ago
loueranta-paytrail
commented
5 months ago @mikkorantalainen Thanks for pointing out the potential vulnerability, we will fix it!
Describe the bug
The example code to render providers contains a potential XSS vulnerability.
Steps to Reproduce
Expected behaviour
The example code should be safe to use.
Actual behaviour
The example code assumes that the API provided data never contains any meta characters such as
&or"or line feed. This is not promised by the documentation https://docs.paytrail.com/#/?id=provider so it should not be assumed. All the data must be correctly encoded for correct context instead.Note that the encoding needed for part between the HTML tags (text node) is slightly different from the encoding of HTML attributes (element attribute string).