adalyte/mocki

XSS (HIGH)

Opened this issue · 0 comments

philipjonsen commented

res.set(
'Access-Control-Allow-Headers',
'Origin, X-Requested-With, Content-Type, Accept'
);
return res.send(graphqlResponse);

Unsanitized input from [the HTTP request body]() [flows]() into [send](), where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).