Profile API: Throws 500 code when sending export Segment request with security SegmentId

Fixed in

EPiServer.Profiles.Client 1.7.0

Created

Jul 06, 2018

Updated

Nov 30, 2018

State

Closed, Fixed and tested


Description

Steps to reproduce

  1. Do a query with:
  • Method: GET
  • Url: /api/v1.0/segments/@segmentId/export/segmentId with data as below:

segmentId=<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
segmentId=1' or '1'='1
segmentId=< abc123 >

Expected:
It shows Not Found.

Actual:
It shows:
{
"error":

{ "code": "500", "message": "Server error occurred.", "target": "", "details": [] }

}