Issue:XSS vulnerability

Priority 1 Created 2023-02-09 Resolved 2023-02-10

tootfinder has XSS vulnerability from the printed msg query string parameter.
I think tootfinder is subject to cross-site scripting. E.g. with this link I can get arbitrary JS to run:
https://www.tootfinder.ch/index.php?msg=%3Cp%3EUser%20@readrust@botsin.space%20added.%3Cscript%3Ealert(%27hello%27)%3C/script%3E&query=%40readrust%40botsin.space

2023-02-09 Hotfix: msg is limited to links coming from server. The link above works from this wiki, because it is on the tootfinder domain, but it would not work from elsewhere. To do: parse to remove script tags.

Fixed