New plugins/fireHook route vulnerable to xss

[draco2003]

http://localhost:4567/plugins/fireHook?hook=server.create_routes&args=%3Cscript%3Ealert('yoyoyo');%3C/script%3E

Chrome and safari block it by default , but not sure if IE, firefox, etc.. will.

(let me know if there is a better way to submit security related issues.)

[julianlam]

Thank you @draco2003 for catching this one!

There is a possibility that HTML should be passed back and forth, but because there are no cases of it right now, better be safe rather than sorry. From now on, any requests to GET /fireHook containing a string argument (or returning a string argument) will be sanitized.

[katanacrimson]

He has a subtle point here however - there's a need for a responsible reporting venue for security related issues. Maybe something for another issue, but that's definitely something that should be considered for project development infrastructure.

[julianlam]

Agreed -- in the meantime, emailing one of the maintainers (myself, @psychobunny, or @barisusakli) will be sufficient.