patch_xss: remove ServeMux

changelog/unreleased/security-xss.md

@@ -1,14 +1,8 @@
 Security: Mitigate XSS
 
-We've mitigated an XSS vulnerability resulting from not sanitising the HTTP requests.
-net/http provides a router – ServeMux, which does more than routing, it also sanitises
-the requests.
-Instead of using ServeMux we were directly using an http.Handler which routes the
-request based on the URL.Path without sanitizing it.
-Besides, in pkg/siteacc/siteacc.go and internal/http/services/ocmd/invites.go we were
-creating http responses with user-provided values.
-This patch adds a http.ServeMux to sanitise the request before reaching any other
-handler and uses html.EscapeString to sanitise the user-provided values in the http
+We've mitigated an XSS vulnerability resulting from unescaped HTTP responses containing
+user-provided values in pkg/siteacc/siteacc.go and internal/http/services/ocmd/invites.go.
+This patch uses html.EscapeString to escape the user-provided values in the HTTP
 responses of pkg/siteacc/siteacc.go and internal/http/services/ocmd/invites.go.
 
 https://github.com/cs3org/reva/pull/3316

pkg/rhttp/rhttp.go

@@ -351,11 +351,7 @@ func (s *Server) getHandler() (http.Handler, error) {
 		handler = triple.Middleware(traceHandler(triple.Name, handler))
 	}
 
-	// we implement our own routing with a http.Handler but we need ServeMux to sanitize the requests and avoid XSS
-	mux := http.NewServeMux()
-	mux.Handle("/", handler)
-
-	return mux, nil
+	return handler, nil
 }
 
 func traceHandler(name string, h http.Handler) http.Handler {