Skip to content

fix: template.JS XSS, GitHub name bug, POST logout [M11+L7+L9]#564

Merged
lakhansamani merged 1 commit intomainfrom
fix/m11-l7-l9-misc-fixes
Apr 4, 2026
Merged

fix: template.JS XSS, GitHub name bug, POST logout [M11+L7+L9]#564
lakhansamani merged 1 commit intomainfrom
fix/m11-l7-l9-misc-fixes

Conversation

@lakhansamani
Copy link
Copy Markdown
Contributor

@lakhansamani lakhansamani commented Apr 4, 2026

Summary

  • M11 (Medium): template.JS bypassed HTML escaping — now escapes </script> and <!-- in JSON output
  • L7 (Low): GitHub OAuth assigned firstName to lastName (copy-paste bug: name[0] instead of name[1])
  • L9 (Low): Added POST /logout route alongside existing GET for CSRF-safe logout

Test plan

  • All packages compile
  • Verify GitHub OAuth correctly splits first/last name
  • Verify logout works via both GET and POST

@lakhansamani
fix: escape template.JS output, fix GitHub lastName bug, add POST logout
20e5735 
- M11: template.JS json func now escapes </script> and <!-- to prevent
  script injection in embedded <script> blocks
- L7: GitHub OAuth assigned firstName to lastName field (name[0] vs name[1])
- L9: Added POST route for /logout alongside existing GET

Fixes: M11 (Medium), L7 (Low), L9 (Low)
@lakhansamani lakhansamani merged commit 6db7fa8 into main Apr 4, 2026
@lakhansamani lakhansamani deleted the fix/m11-l7-l9-misc-fixes branch April 4, 2026 11:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lakhansamani