New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS in Failure() #463
Comments
I'd consider it an edge case -- you should have your own error handler that does a better job. However, it's a valid point and now I'm no longer supporting older versions of CFML, a modern encoding function is fine. Per my comment on the PR, can you make that test pass too please, then I'll merge it. |
@NathanStrutz Your PR still fails the CI tests... |
Yeah I'm lazy and busy. It's a bad combination. I'll get to it... soon. |
Since yesterday, the CI tests are easier to run locally since it's all CommandBox/TestBox now, and all self-contained. No Ant, no MXUnit. I'm only pestering you because I'm actively working on 4.1 this week :) |
Oh that's great. Thanks. Maybe I should have put in a bug for that - I remember now that I couldn't get mxunit to run in Lucee, which was why I hadn't just churned it out. I'll give it another shot this weekend. Thank you! |
It is possible to introduce a XSS type of hack by creating an incorrect action. Example:
It can be mitigated by adding encodeForHTML() functions around variable outputs in the Failure() function.
The text was updated successfully, but these errors were encountered: