There are some attempts at various injection attacks on the internet header config mechanism.

The internet header element takes some properties and uses them to request the config. Before sending the request, the properties are not validated and the element can be manipulated to send potentially malicious code to our servers.

Tasks

• Before sending the config.json request, check the validity of the environment, projectid and data-version (?) inputs, allowed characters are [a-z], numbers and a dash.
• Encode params before sending with https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent