Merge pull request #163 from fredrikstave/master

Sanitize response message for unathorized headers
nelmio · Apr 20, 2021 · 0b964b6 · 0b964b6
2 parents 765b62a + 80fc71a
commit 0b964b6
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/EventListener/CorsListener.php b/EventListener/CorsListener.php
@@ -176,8 +176,9 @@ protected function getPreflightResponse(Request $request, array $options): Respo
  continue;
  }
  if (!in_array($header, $options['allow_headers'], true)) {
+ $sanitizedMessage = htmlentities('Unauthorized header '.$header, ENT_QUOTES, 'UTF-8');
  $response->setStatusCode(400);
- $response->setContent('Unauthorized header '.$header);
+ $response->setContent($sanitizedMessage);
  break;
  }
  }