Begin forwarded message:From: Bob Simons <bobsim...@gmail.com>Subject: Security Vulnerability in ERDDAP v2.15+Date: November 21, 2022 at 2:52:03 PM PSTTo: undisclosed-recipients:;There is a security vulnerability related to the language selection dropdown (which usually appears in the upper right of every HTML page) in ERDDAP v2.15 and above. I'm working on a fix but it appears to be more complicated than I initially thought, so it may take a while.In the meantime (i.e., immediately), you can and should remove the vulnerability by removing "&language;" from <startBodyHtml5> in your datasets.xml. That will cause the language selection dropdown to disappear. If you then flag any dataset or wait for loadDatasets to run by itself, the change will take effect.Or, if your <startBodyHtml5> tag is empty (or non-existent), replace it temporarily with<startBodyHtml5><![CDATA[
<body>
<table class="compact nowrap" style="width:100%; background-color:#128CB5;">
<tr>
<td style="text-align:center; width:80px;"><a rel="bookmark"
href="https://www.noaa.gov/"><img
title="National Oceanic and Atmospheric Administration"
src="&erddapUrl;/images/noaab.png" alt="NOAA"
style="vertical-align:middle;"></a></td>
<td style="text-align:left; font-size:x-large; color:#FFFFFF; ">
<strong>ERDDAP</strong>
<br><small><small><small>&EasierAccessToScientificData;</small></small></small>
</td>
<td style="text-align:right; font-size:small;">
&loginInfo;
<br>&BroughtToYouBy;
<a title="National Oceanic and Atmospheric Administration" rel="bookmark"
href="https://www.noaa.gov">NOAA</a>
<a title="National Marine Fisheries Service" rel="bookmark"
href="https://www.fisheries.noaa.gov">NMFS</a>
<a title="Southwest Fisheries Science Center" rel="bookmark"
href="https://www.fisheries.noaa.gov/about/southwest-fisheries-science-center">SWFSC</a>
<a title="Environmental Research Division" rel="bookmark"
href="https://www.fisheries.noaa.gov/about/environmental-research-division-southwest-fisheries-science-center">ERD</a>
</td>
</tr>
</table>
]]></startBodyHtml5>Again: if you then flag any dataset or wait for loadDatasets to run by itself, the change will take effect.Or, if your ERDDAP isn't set up to show the language dropdown (usually in the upper right of every HTML page's banner), there is no vulnerability.To be super clear: if the language dropdown is gone, the vulnerability is gone.I hope that makes sense. If you have any questions, please let me know.Best wishes.