HTML escape the forced banner to prevent XSS (though this domain has no cookies so there would have been very limited harm from an XSS)

2024-11-25 01:33:28 +01:00 · 2022-10-15 09:58:47 -07:00 · 2022-10-15 09:58:47 -07:00 · 0da8021ab7
commit 0da8021ab7
parent abb0684140
1 changed files with 2 additions and 1 deletions
--- a/backend/server/server.go
+++ b/backend/server/server.go
@ -6,6 +6,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"html"
 	"io/ioutil"
 	"log"
 	"net/http"
@ -261,7 +262,7 @@ func apiBannerHandler(w http.ResponseWriter, r *http.Request) {
 	deviceId := getRequiredQueryParam(r, "device_id")
 	forcedBanner := r.URL.Query().Get("forced_banner")
 	fmt.Printf("apiBannerHandler: commit_hash=%#v, device_id=%#v, forced_banner=%#v\n", commitHash, deviceId, forcedBanner)
-	w.Write([]byte(forcedBanner))
+	w.Write([]byte(html.EscapeString(forcedBanner)))
 }

 func getDeletionRequestsHandler(w http.ResponseWriter, r *http.Request) {