Close XSS issue in /base64 endpoint (fixes #67) (#68)

mccutchen · web-flow · commit b42779a256a2 · 2021-11-29T17:28:18.000-05:00
diff --git a/httpbin/handlers.go b/httpbin/handlers.go
@@ -982,7 +982,7 @@ func (h *HTTPBin) Base64(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, fmt.Sprintf("%s failed: %s", b.operation, base64Error), http.StatusBadRequest)
 		return
 	}
-	writeResponse(w, http.StatusOK, "text/html", result)
+	writeResponse(w, http.StatusOK, "text/plain", result)
 }
 
 // JSON - returns a sample json
diff --git a/httpbin/handlers_test.go b/httpbin/handlers_test.go
@@ -2425,6 +2425,7 @@ func TestBase64(t *testing.T) {
 			w := httptest.NewRecorder()
 			handler.ServeHTTP(w, r)
 			assertStatusCode(t, w, http.StatusOK)
+			assertContentType(t, w, "text/plain")
 			assertBodyEquals(t, w, test.want)
 		})
 	}

Original file line number	Diff line number	Diff line change
`@@ -982,7 +982,7 @@ func (h HTTPBin) Base64(w http.ResponseWriter, r http.Request) {`
`982`	`982`	`http.Error(w, fmt.Sprintf("%s failed: %s", b.operation, base64Error), http.StatusBadRequest)`
`983`	`983`	`return`
`984`	`984`	`}`
`985`		`- writeResponse(w, http.StatusOK, "text/html", result)`
	`985`	`+ writeResponse(w, http.StatusOK, "text/plain", result)`
`986`	`986`	`}`
`987`	`987`
`988`	`988`	`// JSON - returns a sample json`
Original file line number	Diff line number	Diff line change
`@@ -2425,6 +2425,7 @@ func TestBase64(t *testing.T) {`
`2425`	`2425`	`w := httptest.NewRecorder()`
`2426`	`2426`	`handler.ServeHTTP(w, r)`
`2427`	`2427`	`assertStatusCode(t, w, http.StatusOK)`
	`2428`	`+ assertContentType(t, w, "text/plain")`
`2428`	`2429`	`assertBodyEquals(t, w, test.want)`
`2429`	`2430`	`})`
`2430`	`2431`	`}`