Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Did some fixes for possible XSS injections.
First: A filename could be constructed such that, when a user edits the file, it will execute a script. This was caused by the default page not doing HTML escape on some filenames.
Second: Fixed an injection possibility regarding query params. One could construct a URL like:
https://localhost/meshagents?key="><script>alert(1)</script><a+
Or, in tricky mode:
Click here to pwn yourself
I added EncodeURIComponent for most uses of req.query in webserver.js, but I can't guarantee I got them all.