From 02ba2908cc8eeff7797b6c765cc061e829f42dcf Mon Sep 17 00:00:00 2001
From: Dirkjan Bussink <d.bussink@gmail.com>
Date: Wed, 12 Jul 2023 14:15:31 +0200
Subject: [PATCH] viperutil: Remove potential cross site reflecting issue

It's possible to inject HTML / Javascript in the format parameter which
means you can do a self XSS. Not a huge immediately issue as it's only
self XSS, but we should fix it nonetheless.

Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com>
---
 go/viperutil/debug/handler.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go/viperutil/debug/handler.go b/go/viperutil/debug/handler.go
index 07442dd13ab..43d83d235a4 100644
--- a/go/viperutil/debug/handler.go
+++ b/go/viperutil/debug/handler.go
@@ -77,6 +77,6 @@ func HandlerFunc(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	default:
-		http.Error(w, fmt.Sprintf("unsupported config format %s", format), http.StatusBadRequest)
+		http.Error(w, "unsupported config format", http.StatusBadRequest)
 	}
 }