-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS attack <script>console.warm('pwned')</script> #21
Comments
Need to fix this ASAP |
Ok, I think I fixed it with: htmlspecialchars($var, ENT_QUOTES, 'UTF-8'). However, need security review. |
testing again |
Seems ok now, but would really like a proper review. Maybe @attiks can do it or knows someone? The file in question is: https://github.com/ResponsiveImagesCG/responsiveimages.org/blob/master/issues.php#L86 ( |
did you push the latest changes? |
ah, my bad. I did not. I only pushed to the website... pushing now. |
That should do it. |
Because we were not sanitizing the titles of Github bugs, we left ourselves open to a XSS attack. @marcoscaceres tried to fix this with:
But he is no PHP security expert.
The text was updated successfully, but these errors were encountered: