Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: XSS vulnerability #137

Merged
merged 3 commits into from Sep 29, 2020
Merged

fix: XSS vulnerability #137

merged 3 commits into from Sep 29, 2020
+27 −2

Conversation

catnose99
Copy link
Contributor

Found a XSS vulnerability around filenames.

Here is a example to reproduce.

```"><img/onerror="alert(location)"src=.>
aaa
```

I made a change so that filenames are escaped.
Thank you!

@jGleitz
Copy link
Owner

jGleitz commented Sep 21, 2020

Hi @catnose99, thanks a lot for reporting & fixing this bug!

Your PR is currently failing in CI because commitlint complains. However, I think the semantic-pull-request check suffices, so I will remove commitlint altogether.

For your PR to be merged, it needs at least one unit test. Will you write one or shall I take over?

@jGleitz
Copy link
Owner

jGleitz commented Sep 21, 2020

I removed commitlint in #138. If you rebase your branch, the CI should pass.

@jGleitz
Copy link
Owner

jGleitz commented Sep 29, 2020

@catnose99, since you have not replied regarding whether you’ll write the unit test, I went ahead and did it myself. Once again: thank you for your contribution!

@jGleitz jGleitz merged commit c1c074b into jGleitz:master Sep 29, 2020
github-actions bot pushed a commit that referenced this pull request Sep 29, 2020
@semantic-release-bot
chore(release): 2.1.2 [skip ci]
67a8b14 
## [2.1.2](v2.1.1...v2.1.2) (2020-09-29)

### Bug Fixes

* escape the language class name so it cannot be used to inject HTML ([#137](#137)) ([c1c074b](c1c074b))
@github-actions
Copy link

🎉 This PR is included in version 2.1.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

@ooooooo-q ooooooo-q mentioned this pull request Nov 15, 2020
Merged
@catnose99 catnose99 deleted the patch branch December 29, 2021 07:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@catnose99 @jGleitz