Injection attacks possible #15
Description
Just came across this. Since we’re talking security, I took a look at the code. I was distressed to find HTML was being output without escaping in almost all places in .dynamic/routes.js, several of which are injection vulnerabilities, very obvious ones in my opinion, though I don’t think any are practically exploitable—and even if they were, there’s no user data on the site so it’s not likely to make any difference. But still, it’s the principle of the thing.
https://should-i-pipe.it/http://'><script>alert();</script> is almost exploitable XSS, but in practice the URL Standard serialiser percent-encodes angle brackets, and so browsers are saved—though the single quote is not percent-encoded, so you still end up with mangled, invalid HTML. https://should-i-pipe.it/http://'style='color:lime is fun.
The other one that stands out to me is verifier URL and name, but that would require someone sneaking something into .dynamic/verified-hashes.json.