Three vulnerabilities patched in the /export.ics route: - esc() now handles bare \r and CRLF sequences — the previous regex only matched \n, leaving \r intact and allowing CRLF injection via \r\n - reservation DESCRIPTION field was built from unescaped user data (type, confirmation_number, notes, airline, flight/train numbers, airports) and written raw into ICS output; now passed through esc() - Content-Disposition filename used ICS escaping instead of HTTP header sanitization; replaced with a character allowlist to prevent " and \r\n injection into the response header |
||
|---|---|---|
| .. | ||
| public | ||
| src | ||
| .env.example | ||
| package-lock.json | ||
| package.json | ||
| reset-admin.js | ||
| tsconfig.json | ||