fix potential xss via unescaped url string (ampproject#3422)

* fix potential xss via unescaped url string * Send correct error code (status must be set before send) * Remove end
getzaymo · Jan 28, 2020 · 779134b · 779134b
1 parent 8f7f584
commit 779134b
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 3 deletions.
diff --git a/...ntent/amp-dev/documentation/guides-and-tutorials/learn/spec/release-schedule.md b/...ntent/amp-dev/documentation/guides-and-tutorials/learn/spec/release-schedule.md
@@ -32,7 +32,7 @@ A new release of AMP is pushed to all AMP pages every week on Tuesday. **Once a
 
 The AMP runtime and extensions are provided through a variety of different _release channels_. Each channel serves a purpose for developers and for the AMP HTML Project itself. See the [release cadence section](#release-cadence) for a more detailed breakdown of how and when code from the [`ampproject/amphtml`](https://github.com/ampproject/amphtml) repository makes it into release builds.
 
-To determine if a PR has been included in any of the following release channels, look for the GitHub labels _PR Use: In Canary_, _PR Use: In Production_, or _PR Use: In LTS_ (see the section on [determining if your change is in a release](#Determining-if-your-change-is-in-a-release) for more details).
+To determine if a PR has been included in any of the following release channels, look for the GitHub labels _PR Use: In Canary_, _PR Use: In Production_, or _PR Use: In LTS_ (see the section on [determining if your change is in a release](#determining-if-your-change-is-in-a-release) for more details).
 
 ### Weekly <a name="weekly"></a>
 
@@ -48,7 +48,7 @@ The **lts** release channel provides a previous **stable** build for one-month i
 
 In the event that the second Monday of the month falls on a holiday, the promotion will be performed after the end of the release freeze.
 
-Important: Publishers using the **lts** release channel should not use newly introduced features. Because of the longer cycle, the **lts** release may be as much as seven weeks behind the `HEAD` of [`ampproject/amphtml`](https://github.com/ampproject/amphtml). See the section on [determining if your change is in a release](#Determining-if-your-change-is-in-a-release) to validate if a change will be ready with your chosen release cycle.
+Important: Publishers using the **lts** release channel should not use newly introduced features. Because of the longer cycle, the **lts** release may be as much as seven weeks behind the `HEAD` of [`ampproject/amphtml`](https://github.com/ampproject/amphtml). See the section on [determining if your change is in a release](#determining-if-your-change-is-in-a-release) to validate if a change will be ready with your chosen release cycle.
 
 ## Determining if your change is in a release <a name="determining-if-your-change-is-in-a-release"></a>
 

diff --git a/platform/lib/middleware/subdomain.js b/platform/lib/middleware/subdomain.js
@@ -54,6 +54,7 @@ class Subdomain {
       let subdomainApp = this.subdomainApps_[hostConfig.subdomain];
       if (!subdomainApp) {
         subdomainApp = express();
+        subdomainApp.disable('x-powered-by');
         subdomainApp.use(cors({
           origin: true,
           credentials: true,

diff --git a/playground/backend/api.js b/playground/backend/api.js
@@ -52,7 +52,7 @@ api.get('/fetch', async (request, response) => {
     response.send(doc);
   } catch (error) {
     console.error('Could not fetch URL', error);
-    response.send(`Could not fetch URL ${url}`).status(400).end();
+    response.status(400).send('Could not fetch URL');
   }
 });