fixed possible reflected XSS when fetching avatar images from a malic…

…ious URL
Erudika · Aug 19, 2021 · 1f71ee2 · 1f71ee2
1 parent c2a0539
commit 1f71ee2
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/main/java/com/erudika/scoold/controllers/PeopleController.java b/src/main/java/com/erudika/scoold/controllers/PeopleController.java
@@ -151,6 +151,9 @@ public String bulkEdit(@RequestParam(required = false) String[] selectedUsers,
 	@GetMapping("/avatar")
 	public void avatar(@RequestParam(required = false) String url,
 			HttpServletRequest req, HttpServletResponse res, Model model) {
+		// prevents reflected XSS. see https://brutelogic.com.br/poc.svg
+		// for some reason the CSP header is not sent on these responses by the ScooldInterceptor
+		utils.setSecurityHeaders(utils.getCSPNonce(), req, res);
 		HttpUtils.getAvatar(url, req, res);
 	}
 }