miniflux/http/response
Frédéric Guillot eb9508502c Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler
Creating an RSS feed item with the inline description containing an `<img>` tag
with a `srcset` attribute pointing to an invalid URL like
`http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error
condition where the invalid URL is returned unescaped and in full.

This results in JavaScript execution on the Miniflux instance as soon as the
user is convinced to open the broken image.
2023-03-12 22:36:03 -07:00
..
html Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler 2023-03-12 22:36:03 -07:00
json Fix some linter issues 2022-08-08 22:06:38 -07:00
xml Fix some linter issues 2022-08-08 22:06:38 -07:00
builder.go Proxy support for several media types 2023-02-25 15:57:59 -08:00
builder_test.go Avoid extra HTTP request for fetching custom stylesheet 2021-05-31 14:29:33 -07:00
doc.go Fix some linter issues 2022-08-08 22:06:38 -07:00