From f781ea8a2fd2a84540a7885e3d09ad4affd5465f Mon Sep 17 00:00:00 2001 From: ImanSharaf <78227895+ImanSharaf@users.noreply.github.com> Date: Thu, 5 May 2022 10:44:36 -0700 Subject: [PATCH] p2p/simulations: escape mockerType value from request (#24822) Co-authored-by: Felix Lange --- p2p/simulations/http.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/p2p/simulations/http.go b/p2p/simulations/http.go index 27ed5b75d244..45c12f743360 100644 --- a/p2p/simulations/http.go +++ b/p2p/simulations/http.go @@ -22,6 +22,7 @@ import ( "context" "encoding/json" "fmt" + "html" "io" "io/ioutil" "net/http" @@ -336,7 +337,7 @@ func (s *Server) StartMocker(w http.ResponseWriter, req *http.Request) { mockerType := req.FormValue("mocker-type") mockerFn := LookupMocker(mockerType) if mockerFn == nil { - http.Error(w, fmt.Sprintf("unknown mocker type %q", mockerType), http.StatusBadRequest) + http.Error(w, fmt.Sprintf("unknown mocker type %q", html.EscapeString(mockerType)), http.StatusBadRequest) return } nodeCount, err := strconv.Atoi(req.FormValue("node-count"))