Join GitHub today
xss: XSS To LFI Vulnerability #4869
This addresses a vulnerability found by AkkuS where a simple XSS attempt can lead to an LFI (Local File Inclusion) attack. The issue stems from the system returning the unformatted file contents in an error message when uploading a CSV to the User Importer. This formats the contents before uploading so that if the contents are returned in an error message they will not be executed by the browser which therefore prevents XSS attempts and the possibility of an LFI attack. This also formats all the user-created data sent to ImportError to prevent the same issue.