Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS in href attribute, issue a warning #6423

Closed
m1212e opened this issue Jun 21, 2021 · 4 comments
Closed

XSS in href attribute, issue a warning #6423

m1212e opened this issue Jun 21, 2021 · 4 comments

Comments

@m1212e
Copy link

m1212e commented Jun 21, 2021
edited
Loading

This (see code snippet below) currently works without any warning etc.
Imagine test being user input. Since many developers just use frameworks for the comfort to not having to think about XSS and other security relevant things, maybe it would be a good idea to at least issue a warning to the console when this occurs? React acutally made this deprecated and plans to make it stop working.

<script lang="ts">
	let test = `javascript:alert('1')`;
</script>

<main>
	<a href={test}>test</a>
</main>
@mohe2015 mohe2015 mentioned this issue Jun 22, 2021
Closed
@mohe2015
Copy link

@m1212e have you found resources for general mitigation? Because the OWASP sheets don't seem to contain good general advice in this specific case.

@mohe2015
Copy link

I could probably look at any good html sanitizer

@m1212e
Copy link
Author

m1212e commented Jun 22, 2021

It caught my attention while reading this article: https://lolware.net/blog/react-xss-protection-cheat-sheet/
All it says is basically: Parse user input. So thats probably what should be done.

@pngwn
Copy link
Member

pngwn commented Jun 27, 2021

We will not be addressing this in Svelte itself. We would need to add runtime checks to Svelte for it to be robust and there are better solutions to this problem. Security is down to the user.

SvelteKit is the right place to solve this problem.

@pngwn pngwn closed this as completed Jun 27, 2021
@m1212e m1212e mentioned this issue Jul 9, 2021
Closed
@endigo9740 endigo9740 mentioned this issue Sep 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pngwn @mohe2015 @m1212e