Default formatter error can cause XSS rendering issue

[ctennis]

If you issue a request into an API endpoint with a format specified that is not handled, you get back a 406 error with message 'The requested format 'format' is not supported.'

The name of the specified format is rendered in the error message, which defaults as HTML. You can easily craft a format value that gets passed in and renders as an XSS. An example:

http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E

Renders as html:

The requested format '<script>alert(document.cookie)</script>' is not supported.

Which will cause a javascript popup if you visit this page in a browser.

[dblock]

Looks legit. Would appreciate at least a spec, maybe a fix, please. We can just drop the actual value I think.

[ctennis]

Happy to do so, but I'm not sure the best approach for fixing. The use of the format name in the script was done intentionally (#322 I believe). Ideally we'd sanitize the output before displaying it as html, but we don't know it's going to be displayed as html. ActionSupport has a safebuffer that could be used for sanitizing the html text prior to rendering, but we don't want to do that if the text won't be rendered as html.

[ctennis]

Actually I think I figured out a solution, PR forthcoming.

[dblock]

Closed via #1763.