Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ClearIT informed us about a video from customer ComHem that showed how a carefully constructed message which includes a as of right now unknown Javascript file that allowed the customer from the External.app chat see the agents username and password. The code now escapes a few characters with HTML entity encoding to prevent this sort of attack. The code escapes the following characters & into & < into < > into > " into " ' into ' / into / This has been done according to the recommendation found here: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
- Loading branch information