You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a possibility that HTML should be passed back and forth, but because there are no cases of it right now, better be safe rather than sorry. From now on, any requests to GET /fireHook containing a string argument (or returning a string argument) will be sanitized.
He has a subtle point here however - there's a need for a responsible reporting venue for security related issues. Maybe something for another issue, but that's definitely something that should be considered for project development infrastructure.
http://localhost:4567/plugins/fireHook?hook=server.create_routes&args=%3Cscript%3Ealert('yoyoyo');%3C/script%3E
Chrome and safari block it by default , but not sure if IE, firefox, etc.. will.
(let me know if there is a better way to submit security related issues.)
The text was updated successfully, but these errors were encountered: