Skip to content

Sanitize session data in public output to prevent XSS vulnerabilities #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Klakurka merged 1 commit into from
Feb 20, 2025
Merged

Sanitize session data in public output to prevent XSS vulnerabilities #26

Klakurka merged 1 commit into from
Feb 20, 2025

Conversation

@xecdev
Copy link
Collaborator

@xecdev xecdev commented Feb 20, 2025

This PR fixes: #24

The functionality of the plugin remains unchanged because sanitize_text_field() does not alter valid addresses, it only strips unwanted characters.

Test plan:

  1. Install the updated plugin
  2. Log in using a valid eCash address.
  3. Verify that the Profile page displays the correct eCash address.
  4. Confirm that the JavaScript variable PaywallAjax.userAddress contains the expected value when logged in (can be checked in the console).

@xecdev xecdev requested a review from Klakurka February 20, 2025 17:42
@xecdev xecdev added the enhancement (behind the scenes) Stuff that users won't see label Feb 20, 2025
@xecdev xecdev self-assigned this Feb 20, 2025
@Klakurka Klakurka merged commit 3838dc1 into master Feb 20, 2025
@xecdev xecdev deleted the fix/sanitize-input branch March 1, 2025 11:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Klakurka Klakurka Klakurka approved these changes

Assignees

@xecdev xecdev

Labels

enhancement (behind the scenes) Stuff that users won't see

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ISSUE #8: Data Must be Sanitized, Escaped, and Validated

3 participants

@xecdev @Klakurka