Hacker News new | past | comments | ask | show | jobs | submit login

You need to filter the URLs that are accepted to avoid security problems - had you a contact address on your profile here, or on the site I'd have disclosed this more privately.

But consider this case:

https://webtest.app/?url=file:///etc/passwd

In short you should restrict URLs to protocols of `http`, `https`, and even then you should filter based on IP. You don't want people to view http://localhost/server-status, etc.

Finally you need to make sure you avoid recursion:

https://webtest.app/?url=https://webtest.app/?url=https://st...




> https://webtest.app/?url=file:///etc/passwd

I find it funny that the app reports even this file loads faster with uBlock.


Thanks, good find, I fixed it.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: