Skip to content

Commit

Permalink
patch_xss: add changelog
Browse files Browse the repository at this point in the history
  • Loading branch information
@vascoguita
vascoguita committed Oct 6, 2022
1 parent 6c9834e commit defa86a
Showing 1 changed file with 14 additions and 0 deletions.
14 changes: 14 additions & 0 deletions changelog/unreleased/security-xss.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
Security: Mitigate XSS

We've mitigated an XSS vulnerability resulting from not sanitising the HTTP requests.
net/http provides a router – ServeMux, which does more than routing, it also sanitises
the requests.
Instead of using ServeMux we were directly using an http.Handler which routes the
request based on the URL.Path without sanitizing it.
Besides, in pkg/siteacc/siteacc.go and internal/http/services/ocmd/invites.go we were
creating http responses with user-provided values.
This patch adds a http.ServeMux to sanitise the request before reaching any other
handler and uses html.EscapeString to sanitise the user-provided values in the http
responses of pkg/siteacc/siteacc.go and internal/http/services/ocmd/invites.go.

https://github.com/cs3org/reva/pull/3316

0 comments on commit defa86a

Please sign in to comment.