This repository has been archived by the owner on Jan 10, 2019. It is now read-only.
Explain why you shouldn't return the unescaped query as HTML in Goodies #33
Labels
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
When creating a Goodie, the original query should not be directly returned as html as this creates the possibility for XSS to occur.
Returning the original query in the plain-text Goodie output is alright though as we already escape it.
I suggest this be added to the FAQ and should also be mentioned in the Goodie tutorial.
This issue was originally mentioned in duckduckgo/zeroclickinfo-goodies#223
The text was updated successfully, but these errors were encountered: