SC-598 CHORE Disable unused html routes, XSS vuln averted #33

omnikron · 2023-10-30T15:53:54Z

https://strava.atlassian.net/browse/SC-598

There was a potential (if unlikely) XSS vulnerability inherent in our rendering
of html that has come from outside sources.

There would probably be better ways to fix this, but since this service is slated for removal soon - have taken the machete approach and simply removed all html routes from the app, so that it now only serves JSON via /api/<:resort> route – which AFAIK is the only one we need.

JMJustas

Yeah, we definitely don't need the html routes. Hopefully we will be able to kill this service altogether :)

omnikron requested review from a team and JMJustas October 30, 2023 15:54

omnikron force-pushed the SC-598-disable-liftie-html-site branch from f41f84d to 90646a5 Compare October 30, 2023 15:56

SC-598 CHORE Disable unused html routes, XSS vuln averted

8bd2947

omnikron force-pushed the SC-598-disable-liftie-html-site branch from 90646a5 to 8bd2947 Compare October 30, 2023 15:57

JMJustas approved these changes Oct 31, 2023

View reviewed changes

omnikron merged commit 26754c9 into master Oct 31, 2023
3 checks passed

omnikron deleted the SC-598-disable-liftie-html-site branch October 31, 2023 08:22

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SC-598 CHORE Disable unused html routes, XSS vuln averted #33

SC-598 CHORE Disable unused html routes, XSS vuln averted #33

omnikron commented Oct 30, 2023 •

edited

Loading

JMJustas left a comment

SC-598 CHORE Disable unused html routes, XSS vuln averted #33

SC-598 CHORE Disable unused html routes, XSS vuln averted #33

Conversation

omnikron commented Oct 30, 2023 • edited Loading

JMJustas left a comment

Choose a reason for hiding this comment

omnikron commented Oct 30, 2023 •

edited

Loading