Summary
When an applicant has an upcoming interview, the applicant can see information such as the interviewer's employee id, email and the scorecard_id and status up to (and including) the end of -in UTC- the day of the interview.
Details
|
const interview = {{ interview | tojson }}; |
The expression
{{ interview | tojson }} in the above line returns (in the resolved template) an object which contains all the info related to the interview (including info about the interviewer/ their id and the scorecard)
This template is included in both early-stage and late-stage based (among others) on the following condition now("%Y%m%d") <= interview["start"]["datetime"].strftime('%Y%m%d') . Fwiw, the times seem all to be in UTC so this condition stands true until 00:00 UTC of the day immediately following the interview start time.
So this information (big part of which is not needed) is shown in the page source in the browser upon inspection by the applicant.
Once the interview day has passed, this information is no longer available for the applicants as the interview-card template is no longer used and instead the interview-card-done template (which does not have {{ interview | tojson }} ) is used
PoC
I am not familiar with the development environment of canonical.com . The steps to reproduce:
- Create an early-stage or late-stage interview for today or a future date with one or more interviewers
- Go to
/careers/application/<application_token>
- Inspect the DOM and search for
const interview = . You will find the json object with all the information, especially the scorecard id/status and interviewer id/email.
Proposal
Replace the wide-ranging {{ interview | tojson }} with {{ interview{only the keys needed in the template} | tojson }}
Impact
Probably a very small/negligible impact as the exposed information by itself is not that confidential in my opinion
mostafaCamel Reporter
Summary
When an applicant has an upcoming interview, the applicant can see information such as the interviewer's employee id, email and the scorecard_id and status up to (and including) the end of -in UTC- the day of the interview.
Details
canonical.com/templates/careers/application/_interview-card.html
Line 15 in acf4823
The expression
{{ interview | tojson }}in the above line returns (in the resolved template) an object which contains all the info related to the interview (including info about the interviewer/ their id and the scorecard)This template is included in both early-stage and late-stage based (among others) on the following condition
now("%Y%m%d") <= interview["start"]["datetime"].strftime('%Y%m%d'). Fwiw, the times seem all to be in UTC so this condition stands true until 00:00 UTC of the day immediately following the interview start time.So this information (big part of which is not needed) is shown in the page source in the browser upon inspection by the applicant.
Once the interview day has passed, this information is no longer available for the applicants as the
interview-cardtemplate is no longer used and instead the interview-card-done template (which does not have{{ interview | tojson }}) is usedPoC
I am not familiar with the development environment of canonical.com . The steps to reproduce:
/careers/application/<application_token>const interview =. You will find the json object with all the information, especially the scorecard id/status and interviewer id/email.Proposal
Replace the wide-ranging
{{ interview | tojson }}with{{ interview{only the keys needed in the template} | tojson }}Impact
Probably a very small/negligible impact as the exposed information by itself is not that confidential in my opinion