Improve approach for handling bad characters in most endpoints #944
Assignees
Comments
|
After discussion, the subset of restricted special characters will be reduced to <, >, and ". |
david-rocca
added a commit
that referenced
this issue
Nov 13, 2023
…iddleware to all query parameters, then wrote test
david-rocca
added a commit
that referenced
this issue
Nov 13, 2023
david-rocca
added a commit
that referenced
this issue
Nov 13, 2023
1 task
david-rocca
added a commit
that referenced
this issue
Nov 17, 2023
…vides better failure information
david-rocca
added a commit
that referenced
this issue
Nov 17, 2023
jdaigneau5
added a commit
that referenced
this issue
Nov 17, 2023
Resolves issue #944 - Better filtering for invalid characters in query parameters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The index.js files for the cve, cve-id, and org controllers include numerous calls to the validate.js function escape() to convert the characters <, >, &, ', " and / to HTML entities. This has been deemed necessary to avoid some types of malicious attacks. However, rather than converting the characters to HTML entities, it would be better to throw an error indicating that the input is invalid.
The text was updated successfully, but these errors were encountered: