Broken XSS example
nharraud opened this issue · 0 comments
nharraud commented
Hi,
I noticed that commit 7c293e7 has broken the XSS example.
1/ The website
property is not saved in the database. Thus it will never be displayed.
NodeGoat/app/routes/profile.js
Lines 82 to 91 in e2dffdb
2/ The
website
property is not returned after an updateNodeGoat/app/routes/profile.js
Lines 65 to 75 in e2dffdb
3/ The
profile.html
page still uses firstNameSafeString
as an url, which is confusing. NodeGoat/app/views/profile.html
Line 78 in e2dffdb
4/ The
profile.js:displayProfile
does not return firstNameSafeString
anymoreNodeGoat/app/routes/profile.js
Lines 28 to 36 in e2dffdb
5/ Also shouldn't
firstNameSafeString
and website
be encoded with encodeForHTMLAttribute
instead of encodeForHTML
and encodeForURL
? The current code seems to contradict the tutorial.NodeGoat/app/routes/profile.js
Line 31 in e2dffdb
6/ the
firstname
is not sanitized after an update.NodeGoat/app/routes/profile.js
Line 64 in e2dffdb