Cross-Site Scripting (XSS) medium risk

[lalit774]

Describe the bug

The koa package is vulnerable to Cross-Site Scripting (XSS). The redirect function in response.js outputs an HTML hyperlink of the supplied URL in the body of the redirect response without sanitizing the URL. An attacker can exploit this by inputting a JavaScript URL that would then be executed.

The application is vulnerable by using this component and passing unvalidated input to the redirect() method. Additionally, the vulnerability can only be exploited if a user is running an older browser.

Root Cause
koa-2.15.3.tgzpackage/lib/response.js[0.0.2, )

#1250
#1289

[laverdet]

This user is spamming GPT CVE's.

[lalit774]

@laverdet

it is not only chat gpt. We see all those issue in nexus scan. For you it might not be the problem. It easy for you to blame people for reporting. I am not working on all open source plugins. We are using a sub dependency. If you have any big problems. Or it does not make sense. Please ignore it. I did not send this message for you.

[laverdet]

I did not send this message for you.

You literally did, when you opened #516 in my repository and others. I mean this in the kindest way possible: this behavior isn't acceptable on GitHub.

[lalit774]

Ok. It is open source. Any one can put their opinion. If you don’t agree. That’s fine. You should nice with other people.