DOM Cross Site Scripting
Shinkurt opened this issue · comments
Hey Cosmo Devs,
I didn't have a direct email with Developers so I am opening this ticket for public. (please send me your email so I can give you more serious security issues).
Anyway, in the HTML of the index and almost every page it says:
if(window.location.href.indexOf('#!') === -1)
window.location.href = window.location.protocol + '//' + window.location.host + '/#!' + window.location.pathname;
</script>
Note: it is IE 9 Commented so, it will primary target IE users. but using encodeURLComponet(window.location.pathname) would pretty much solve this issue. this is basically like the one Wordpress got last time. something like: http://www.paulosyibelo.com/2015/04/facebooks-parse-dom-xss.html
Thanks,
Hey thank you for making us aware, should be patched for next release (v5) for other issues that are better off in email you can send them my way - jordan@wearedunn.com