This repository has been archived by the owner on Dec 11, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 974
verify our metascraper-based client code is not vulnerable #14066
Labels
Milestone
Comments
Pretty sure this is OK because we don't evaluate any of the metascraper input as code. I will add a check to sanitize it for HTML just to be extra sure. |
10 tasks
This was referenced May 10, 2018
Verified test plan from #13114 (comment) with macOS 10.12.6 using
Verified on Windows x64
Verified on Ubuntu 17.10 x64
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
the BAT client code in browser-laptop copy/pasted some code from metascraper, which has an unfixed vuln: https://hackerone.com/reports/309367. we need to check whether it is vulnerable as well.
related: #14065
UPDATE: no test plan is needed since we aren't vulnerable to the issue in the first place AFAICT, but it would be good for QA to go through the test plan in #13114 (comment) to make sure it hasn't regressed.
The text was updated successfully, but these errors were encountered: