p2p/simulations: escape mockerType value from request (#24822)

Co-authored-by: Felix Lange <fjl@twurst.com>

p2p/simulations: escape mockerType value from request (#24822)
Co-authored-by: Felix Lange <fjl@twurst.com>
ca8e2f1e · ImanSharaf · GitHub · 256aae0b · ca8e2f1e
Unverified Commit ca8e2f1e authored 3 years ago by ImanSharaf Committed by GitHub 3 years ago
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

http.go p2p/simulations/http.go +2 -1

No files found.
--- a/p2p/simulations/http.go
+++ b/p2p/simulations/http.go
@@ -22,6 +22,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"html"
 	"io"
 	"io/ioutil"
 	"net/http"
@@ -336,7 +337,7 @@ func (s *Server) StartMocker(w http.ResponseWriter, req *http.Request) {
 	mockerType := req.FormValue("mocker-type")
 	mockerFn := LookupMocker(mockerType)
 	if mockerFn == nil {
-		http.Error(w, fmt.Sprintf("unknown mocker type %q", mockerType), http.StatusBadRequest)
+		http.Error(w, fmt.Sprintf("unknown mocker type %q", html.EscapeString(mockerType)), http.StatusBadRequest)
 		return
 	}
 	nodeCount, err := strconv.Atoi(req.FormValue("node-count"))