From 1cbb20506c714a12eff3abfa3dcc808076296835 Mon Sep 17 00:00:00 2001
From: Vasco Guita <vasco.guita@cern.ch>
Date: Thu, 6 Oct 2022 11:57:09 +0200
Subject: [PATCH] patch_xss: add changelog

---
 changelog/unreleased/security-xss.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 changelog/unreleased/security-xss.md

diff --git a/changelog/unreleased/security-xss.md b/changelog/unreleased/security-xss.md
new file mode 100644
index 0000000000..c04e2d692a
--- /dev/null
+++ b/changelog/unreleased/security-xss.md
@@ -0,0 +1,14 @@
+Security: Mitigate XSS
+
+We've mitigated an XSS vulnerability resulting from not sanitising the HTTP requests.
+net/http provides a router – ServeMux, which does more than routing, it also sanitises
+the requests.
+Instead of using ServeMux we were directly using an http.Handler which routes the
+request based on the URL.Path without sanitizing it.
+Besides, in pkg/siteacc/siteacc.go and internal/http/services/ocmd/invites.go we were
+creating http responses with user-provided values.
+This patch adds a http.ServeMux to sanitise the request before reaching any other
+handler and uses html.EscapeString to sanitise the user-provided values in the http
+responses of pkg/siteacc/siteacc.go and internal/http/services/ocmd/invites.go.
+
+https://github.com/cs3org/reva/pull/3316