Plugin inspection:

dxw Security

No issues found

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

We didn't find anything worrying in this plugin. It's probably safe. Read more about this recommendation.

Warnings

This recommendation applies to version 0.2.5 of this plugin, but the most recent version is 0.2.8. These findings may no longer be correct.

View the recommendation for version 0.2.8 of this plugin instead

Findings

This plugin displays HTML obtained via an API call to app.advisories.dxw.com, making it possible that dxw could perform an XSS attack against an admin when this plugin is enabled.

NB: We will, of course, not do this. We’re thinking about how we can change the structure of the API so that we can escape all the data we get from it before it’s displayed.