From 1f71ee2523640d2e4cfb92c9a6036f0d84df5174 Mon Sep 17 00:00:00 2001
From: Alex Bogdanovski <alex@erudika.com>
Date: Thu, 19 Aug 2021 15:39:48 +0300
Subject: [PATCH] fixed possible reflected XSS when fetching avatar images from
 a malicious URL

---
 .../java/com/erudika/scoold/controllers/PeopleController.java  | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/main/java/com/erudika/scoold/controllers/PeopleController.java b/src/main/java/com/erudika/scoold/controllers/PeopleController.java
index 140e3036..d46a0600 100755
--- a/src/main/java/com/erudika/scoold/controllers/PeopleController.java
+++ b/src/main/java/com/erudika/scoold/controllers/PeopleController.java
@@ -151,6 +151,9 @@ public String bulkEdit(@RequestParam(required = false) String[] selectedUsers,
 	@GetMapping("/avatar")
 	public void avatar(@RequestParam(required = false) String url,
 			HttpServletRequest req, HttpServletResponse res, Model model) {
+		// prevents reflected XSS. see https://brutelogic.com.br/poc.svg
+		// for some reason the CSP header is not sent on these responses by the ScooldInterceptor
+		utils.setSecurityHeaders(utils.getCSPNonce(), req, res);
 		HttpUtils.getAvatar(url, req, res);
 	}
 }