1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
Description: fix XSS issue CVE-2024-43799
Author: Ulises Gascón <https://github.com/UlisesGascon>,
Chris de Almeida <https://github.com/ctcpip>
Origin: upstream, https://github.com/pillarjs/send/commit/ae4f2989
Bug: https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg
Bug-Debian: https://bugs.debian.org/1081483
Forwarded: not-needed
Applied-Upstream: 0.19.0, commit:ae4f2989
Reviewed-By: Yadd <yadd@debian.org>
Last-Update: 2025-04-07
--- a/index.js
+++ b/index.js
@@ -482,8 +482,7 @@
}
var loc = encodeUrl(collapseLeadingSlashes(this.path + '/'))
- var doc = createHtmlDocument('Redirecting', 'Redirecting to <a href="' + escapeHtml(loc) + '">' +
- escapeHtml(loc) + '</a>')
+ var doc = createHtmlDocument('Redirecting', 'Redirecting to ' + escapeHtml(loc))
// redirect
res.statusCode = 301
--- a/test/send.js
+++ b/test/send.js
@@ -358,7 +358,7 @@
.get('/pets')
.expect('Location', '/pets/')
.expect('Content-Type', /html/)
- .expect(301, />Redirecting to <a href="\/pets\/">\/pets\/<\/a></, done)
+ .expect(301, />Redirecting to \/pets\/</, done)
})
it('should respond with default Content-Security-Policy', function (done) {
@@ -386,7 +386,7 @@
.get('/snow')
.expect('Location', '/snow%20%E2%98%83/')
.expect('Content-Type', /html/)
- .expect(301, />Redirecting to <a href="\/snow%20%E2%98%83\/">\/snow%20%E2%98%83\/<\/a></, done)
+ .expect(301, />Redirecting to \/snow%20%E2%98%83\/</, done)
})
})
|
