kpfleming/pkg-proxy
1
0
Fork 0
forked from mirrors/pkg-proxy
Code Pull requests Activity
pkg-proxy/internal/server/templates
History
Andrew Nesbitt 9e97a3316a
 Escape user-controlled strings in browse source JavaScript 
File paths from archive contents were interpolated directly into onclick
handlers and innerHTML via template literals. A crafted filename containing
quotes could break out of the string context and execute arbitrary JS.

Add an escapeHTML helper and use it on all interpolated path and URL values
in the browse source page.
2026-03-12 11:59:14 +00:00
..
components Remove hard-coded ecosystems from templates 2026-03-11 17:25:47 +00:00
layout Add generated OpenAPI docs support 2026-03-12 11:49:31 +00:00
pages Escape user-controlled strings in browse source JavaScript 2026-03-12 11:59:14 +00:00