You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi!, thanks for the talk today at memSQL, I found it extremely valuable as I haven't found time yet to explore the concept of SSR.
However, I noticed that you use stringify without escaping HTML entities, this could create an scenario of a persisted XSS vulnerability that wouldn't get caught by XSSAuditor or the like. For example:
Hi!, thanks for the talk today at memSQL, I found it extremely valuable as I haven't found time yet to explore the concept of SSR.
However, I noticed that you use
stringify
without escaping HTML entities, this could create an scenario of a persisted XSS vulnerability that wouldn't get caught by XSSAuditor or the like. For example:alfondotnet@e8181f6
So you would want to use a safe version of stringify that would escape html entities to avoid this problem.
Regards
The text was updated successfully, but these errors were encountered: