feat: decode html entities before sanitizing #40
Merged
+64
−3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sshropshire
approved these changes
Feb 22, 2022
sshropshire
reviewed
Feb 22, 2022
| "javascript:alert('XSS')", | ||
| "jav	ascript:alert('XSS');", | ||
| "  javascript:alert('XSS');", | ||
| ]; |
There was a problem hiding this comment.
qq: Is there a reference to how these attack vector urls are generated?
There was a problem hiding this comment.
They are HTML encoded characters. So each character can be rendered as itself or as an HTML entity. For instance, j can be j or j or j (see https://www.htmlsymbols.xyz/unicode/U+006A)
There was a problem hiding this comment.
I wish I had an easy go-to site for generating them, but since j is a valid encoded character, by default, encoders don't convert it. Had trouble finding a place that would encode it using the special characters.
Most of these values came from the XSS report, and they do decode to the expected values.
cgdibble
approved these changes
Feb 22, 2022
rwhogg
approved these changes
Feb 23, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Jira
Addresses a reported XSS vulnerability in this package.
If the urls provided are HTML encoded, they'll remain HTML encoded when dynamically created using the DOM api. However, if rendered as HTML from the server, they'll get converted to readable entities without sanitization.
This update decodes the HTML in the url before sanitizing.
It's technically a breaking change, since it's transforming the URL, so it'll go out as v6.