Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS when hydrating component #225

Closed
valterkraemer opened this issue Dec 10, 2021 · 2 comments
Closed

XSS when hydrating component #225

valterkraemer opened this issue Dec 10, 2021 · 2 comments

Comments

@valterkraemer
Copy link

Elderjs newbie here. Not sure, but assume that this, or a similar approach is a realistic use-case. Where able to do an XSS injection by exploiting the hydration mechanism.

route.js

module.exports = {
  data: {
    test: "</script><script>alert('Yo!')</script>",
  },
  all: () => [],
  permalink: '/:slug/',
};

Blog.svelte

<script>
  import MyComponent from '../../components/MyComponent.svelte';
  export let data;
</script>

<MyComponent hydrate-client={{ data: data.test }} />

MyComponent.svelte

<script>
  export let data;
</script>

{data}

Loading the Blog page executes alert('Yo!').

Reported a similar issue in SvelteKit some months back sveltejs/kit#721

@nickreese
Copy link
Contributor

@valterkraemer Yep, 100% an XSS issue. The docs include this warning:

Security Note: Whatever you pass to hydrate-client will get written to the HTML shipped to the browser via JSON.stringify. There are XSS and security considerations of passing data to the client, only hydrate content you trust.

I don't imagine it being too complex to escape it if we wanted to make that less of a concern.

@valterkraemer
Copy link
Author

Oh okay, thanks @nickreese. Yeah, at least how they fixed it in SvelteKit seems to be pretty straight forward sveltejs/kit#769

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants