🔒 [SECURITY] Fix XSS vulnerability in mod_netstat

If you're reading this, you might be worried. An attacker would have also needed to spoof your DNS records and your SSL root certificate store to succesfully inject code into your client. If still believe you might be at risk, shoot me an email: gabriel@saillard.dev
GitSquared · Apr 30, 2019 · fc5b8d9 · fc5b8d9 · unixfox · Apr 30, 2019
1 parent eddc810
commit fc5b8d9
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/classes/netstat.class.js b/src/classes/netstat.class.js
@@ -100,7 +100,7 @@ class Netstat {
                                 delete this.ipinfo.api_version;
                                 delete this.ipinfo.time;
                                 let ip = this.ipinfo.ip;
-                                document.querySelector("#mod_netstat_innercontainer > div:nth-child(2) > h2").innerHTML = ip;
+                                document.querySelector("#mod_netstat_innercontainer > div:nth-child(2) > h2").innerHTML = window._escapeHtml(ip);
                             } catch(e) {
                                 console.warn(e);
                                 console.info(rawData.toString());