Issue G. Cross-Site Scripting in HTTPRandomPage
At 2014-04-23 11:55:09 Arturo Filastò wrote: The HTTPRandomPage helper reflects user input in the output without escaping it. This helper is currently disabled so it does not pose an immediate security risk.
Mitigation:
Current users are not at risk because the HTTPRandomPage helper is disabled.
Remediation:
To remediate this issue, either remove the HTTPRandomPage code or make it safe. To make it safe, escape the reflected input or set the Content-Disposition header so that browsers will download the file instead of interpreting it as HTML.
This issue was automatically migrated from github issue https://github.com/TheTorProject/ooni-probe/issues/305