You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It was brought up today that it could be possible for data providers to return HTML within name strings.
In particular, malicious tags such as <script src="attack.js" />could cause problems for browsers consuming the data who are not following security best practices (eg. using dangerouslySetInnerHTML in React).
It might be worth us stripping HTML from all fields which could be rendered in the browser.
A SQL query against WOF didn't find any HTML elements, I also tried to check OSM but didn't find any, although I don't doubt nefarious people edit OSM for this purpose.
The text was updated successfully, but these errors were encountered:
It was brought up today that it could be possible for data providers to return HTML within name strings.
In particular, malicious tags such as
<script src="attack.js" />could cause problems for browsers consuming the data who are not following security best practices (eg. usingdangerouslySetInnerHTMLin React).It might be worth us stripping HTML from all fields which could be rendered in the browser.
A SQL query against WOF didn't find any HTML elements, I also tried to check OSM but didn't find any, although I don't doubt nefarious people edit OSM for this purpose.
The text was updated successfully, but these errors were encountered: