Fixed XSS security bug #1929
Fixed XSS security bug #1929
Conversation
set Content-Type response header as text/plain rather than default text/html
|
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. Latest deployment of this branch, based on commit 8ba7076:
|
|
@plouc |
|
@plouc Could take a look at this? I think this PR should be fairly easy to review and an important issue to be looking at, having a security flaw isn't good for anyone |
|
@Izurii, yes it was easy to review, I had a look at it, but the CI is failing, which is also not good for anyone ;). |
|
@r0hanSH, thank you for this fix, could you please also fix the failing tests? (it's a formatting issue). |
Ohh I didn't see that before. I agree with you, CI failing is not good too. Thanks for the reply I really liked using this library and I want to see it growing. I used before recharts, react-chartjs-2 and highcharts (too costly), between all that, I'm starting to use in most of my projects this library here. |
|
@plouc I pushed the required changes |
|
Thank you @r0hanSH! |
|
@plouc can you please validate and close this report? https://huntr.dev/bounties/986fb54a-9353-43c1-9433-9a54b3d31e6e/ |
Fix: set
Content-Typeresponse header astext/plainrather than defaulttext/htmlThe actual vulnerability was reported by me on huntr.dev platform.
People having write permissions on this repo can see the actual vulnerability report at:
https://huntr.dev/bounties/986fb54a-9353-43c1-9433-9a54b3d31e6e/
JamieSlome asked you to create SECURITY.md, a month ago. (#1891) for this vulnerability.