Fix org_name XSS path #7
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
#ty sir. alex and i were far too focused on amusement it seems :-) |
|
I was thinking the same thing. Comedy does not preclude security. ;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
You can specify
origin=ccwhere cc is a country code as listed in the centroids FIPS10 column, and attacks will originate from there. Only works if one of the_modeargs is not specifiedbefore change, org name of
org_name=<script>alert(%27xss%27)</script>creates an alert box, confirming XSS. Changed to use the.text()property for proper escaping, closes XSS hole.see, e.g. http://darrenpmeyer.com/pewpew/?org_name=%3Cscript%3Ealert(%27xss%27)%3C/script%3E&origin=us