Skip to content

The example code to render providers contains a potential XSS vulnerability #109

New issue
New issue
Open
Open
The example code to render providers contains a potential XSS vulnerability#109
Labels
questionFurther information is requested
@mikkorantalainen

Description

@mikkorantalainen
mikkorantalainen
opened on May 15, 2024

Describe the bug

The example code to render providers contains a potential XSS vulnerability.

Steps to Reproduce

  1. Go to JavaScript example payment-provider-form in the documentation
  2. Use the example code

Expected behaviour

The example code should be safe to use.

Actual behaviour

The example code assumes that the API provided data never contains any meta characters such as & or " or line feed. This is not promised by the documentation https://docs.paytrail.com/#/?id=provider so it should not be assumed. All the data must be correctly encoded for correct context instead.

Note that the encoding needed for part between the HTML tags (text node) is slightly different from the encoding of HTML attributes (element attribute string).

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions