Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't allow xss in teacher training urls #769

Merged
merged 1 commit into from Aug 5, 2019

Conversation

rjlynch
Copy link
Contributor

@rjlynch rjlynch commented Aug 2, 2019

URI::regexp matches when there is text before the scheme, this allows
xss attacks.

Add an additional validation that the url must start with http:// or
https://

Context

fixing a bug from the security audit

Changes proposed in this pull request

Adds a validation that the url starts with http:// or https://

Guidance to review

URI::regexp matches when there is text before the scheme, this allows
xss attacks.

Add an additional validation that the url must start with http:// or
https://
@rjlynch rjlynch force-pushed the SE-1493/schools/on_boarding/xss-url branch from 8e4c3ca to 06a4bf0 Compare August 2, 2019 15:05
Copy link
Contributor

@jebw jebw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rjlynch rjlynch merged commit df177a5 into master Aug 5, 2019
@rjlynch rjlynch deleted the SE-1493/schools/on_boarding/xss-url branch August 5, 2019 08:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants