Skip to content

Is this library secure against XSS ? #709

Answered by franky47
pedro757 asked this question in Q&A
Discussion options

You must be logged in to vote

If you mean "does it protect you from doing things like this":

const [redirect] = useQueryState('redirect')
const router = useRouter()

useEffect(() => {
  router.replace(redirect)
}, [redirect])

Then no. A little userland logic is needed to prevent XSS. This can (and probably should) be done in a parser:

const redirectParser = createParser({
  parse(query) {
    // Very basic check
    if (query.startsWith('/') === false) {
      return null // Possible XSS
    }
    return query
  },
  serialize(value) { return value }
})

function useRedirect() {
  const [redirect] = useQueryState('redirect', redirectParser.withDefault('/'))
  return redirect
}

Replies: 1 comment 2 replies

Comment options

You must be logged in to vote
2 replies
@abhion
Comment options

@franky47
Comment options

Answer selected by franky47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
3 participants