-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding a few more badcharacters #1083
Conversation
- Adding these special characters to support better escaping. Testing adding also more characters that could result on XSS, such as ";", "(" and ")" . Currently this library is vulnerable to attacks such as <a href={{foo}}/> where foo is "test onload=alert(1)" resulting on the string <a href=test onload=alert(1)/>
This method is intended for escaping HTML content only, not javascript. Could you show me an example of what you are using this for that you'd like this change? |
Well, I was adding a few more cases to add common special characters that most libraries include. With that said, I found this when I was testing this edge case |
Ping me at kpdecker at gmail with the repo case.
|
Sorry that was formatted oddly in my email. No need to ping. This isn't the right fix as you are escaping to a different language and thus creating invalid data. Escaping = would be sufficient to mitigate, no? |
I was going to send another patch escaping ‘(‘ , ')’ and ‘=‘. The reason why I added the other special characters as well is because technically those should be escaped as well, but it could potentially break things if someone is trying to paste something on With that said, technically this is more of a fault from developers not inserting the correct “ or ‘ to contain the value of the html Attribute, but it is such a common usage that I think you should try to fix it, by escaping a few more characters as you mentioned and I have recommended above. |
Thanks for bringing this up. I went with the |
It would be interesting to contemplate adding even more characters.