Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #4249 - Fix CWE-79: Cross-Site Scripting #4250

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Issue #4249 - Fix CWE-79: Cross-Site Scripting #4250

wants to merge 1 commit into from

Conversation

omordyk
Copy link
Contributor

@omordyk omordyk commented Feb 6, 2025
edited
Loading

Description

Cross Site Scripting (XSS) vulnerability occurs when an application either does not perform or it performs incorrect neutralization (sanitization) of input data that is included in a web application response. As the result, an attacker is able to inject and execute arbitrary HTML and script code in a user's browser within the context of the vulnerable website. These attacks are often used to steal authentication credentials (e.g. session IDs in cookies). Depending on the vulnerability and the web application, it is also possible to completely alter the web page itself or control the victim's browser

A sensitive sink function was discovered in line 1167 of the file agreementbot/api.go. It causes a High severity Cross-Site Scripting vulnerability.

html.EscapeString is a function from Go’s html package that escapes a string to ensure any potentially unsafe characters (like <, >, ", and &) are converted into HTML entities (e.g., < becomes <).

Fixes # (issue)

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

make test

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules
  • I have checked my code and corrected any misspellings
  • I have tagged the reviewers in a comment below incase my pull request is ready for a review
  • I have signed the commit message to agree to Developer Certificate of Origin (DCO) (to certify that you wrote or otherwise have the right to submit your contribution to the project.) by adding "--signoff" to my git commit command.

@omordyk
Copy link
Contributor Author

omordyk commented Feb 6, 2025

@LiilyZhang @kroczi pls review

LiilyZhang
LiilyZhang reviewed Feb 6, 2025
View reviewed changes
Copy link
Contributor

@LiilyZhang LiilyZhang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like the e2edev failed on secret testing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LiilyZhang LiilyZhang LiilyZhang left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@omordyk @LiilyZhang