Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix XSS exploit in metadata_url #1107

Merged
merged 8 commits into from
Oct 30, 2024
Merged

Fix XSS exploit in metadata_url #1107

merged 8 commits into from
Oct 30, 2024

Conversation

rkachowski
Copy link

Description

Despite mitigations in #1000 it is still possible to embed a malicious url within the metadata_url field of an NFT. This patch applies string sanitisation and refuses to render the url if the sanitised input differs from the original input.

Tested

  • Tested locally against mainnet db
  • Wrote and run unit tests

Issues

@rkachowski rkachowski requested a review from a team as a code owner October 29, 2024 17:59
@rkachowski rkachowski requested a review from lvpeschke October 29, 2024 17:59
@rkachowski rkachowski merged commit 004cf3f into master Oct 30, 2024
21 of 22 checks passed
@rkachowski rkachowski deleted the dhutch/xss_fix branch October 30, 2024 07:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants