Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

some organizations need to authenticate with HTML entities #728

Closed
ElectricNroff opened this issue Jun 14, 2022 · 2 comments
Closed

some organizations need to authenticate with HTML entities #728

ElectricNroff opened this issue Jun 14, 2022 · 2 comments
Milestone
CVE Services 2.1

Comments

@ElectricNroff
Copy link
Contributor

Sending

{"short_name": "AT&T", "name": "AT&T Corporation"}

to the POST /api/org endpoint results in a response containing

"short_name":"AT&T"

because of "escape()" in

cve-services/src/controller/org.controller/index.js

Line 155 in b083cfe

body(['short_name']).isString().trim().escape().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }),

It's unclear why escape() is being used - there is no documentation stating that some parts of API responses are supposed to be interpreted as HTML. Use of escape() complicates how this CNA would authenticate to CVE Services. They need to send

CVE-API-ORG: AT&T

However, in the pathname component of an API URL, they are required to use AT%26T and cannot use AT%26amp%3BT instead. For example, they could access the /api/org/AT%26T endpoint.
@slubar slubar added this to the CVE Services 2.1 milestone Jun 14, 2022
@jdaigneau5
Copy link
Collaborator

Related to #729

@jdaigneau5
Copy link
Collaborator

We'll be replacing express-validator's escape() with encodeURI because this will resolve issues with ' and &s. Should be done alongside #962

jdaigneau5 added a commit that referenced this issue Nov 21, 2023
@jdaigneau5
#962 #728 Replaced instances of "escape" with "encodeURI" which encod…
9b5e262 
…es a different set of characters. Also removed "decodeEntities"
@jdaigneau5 jdaigneau5 mentioned this issue Nov 22, 2023
Merged
1 task
david-rocca added a commit that referenced this issue Nov 28, 2023
@david-rocca
Merge pull request #1148 from CVEProject/jd-962
f0336b9 
Resolves #962 #728 removed `decodeEntities`  and `escape` calls
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
CVE Services 2.1
Development

No branches or pull requests
3 participants
@slubar @jdaigneau5 @ElectricNroff