You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Section 5.3.1 Verification Details says that the subscriber MUST respond with a status of 200 and response body equal to the hub.challenge value. It does not offer a format for the hub.challenge value. Escaping it could alter the value in a way that makes it unacceptable to the hub.
I suspect in implementation that it is just a hash, but it is not a part of the spec so cannot be relied on.
We are implementing a subscriber to the Twitch.tv API. The GitHub Code Scanning system flags it as a CWE-79 and CWE-116 violation.
It suggests escaping the value like this:
Section 5.3.1 Verification Details says that the subscriber MUST respond with a status of 200 and response body equal to the
hub.challengevalue. It does not offer a format for thehub.challengevalue. Escaping it could alter the value in a way that makes it unacceptable to the hub.I suspect in implementation that it is just a hash, but it is not a part of the spec so cannot be relied on.
Tracking here: michaeljolley/number-one#76
The text was updated successfully, but these errors were encountered: