-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS #1
Comments
Merged
Hi Rich, You can prevent these attacks by escaping HTML characters. You can use or check the implementation of serialze-javascript developed by Yahoo, it provides these safety practices. </script> will be transformed to \u003C\u002Fscript\u003E for example. |
Excellent, thank you! I'll borrow that code. |
You're welcome. |
aldarund
added a commit
to aldarund/devalue
that referenced
this issue
Oct 13, 2018
* warn instead of error for non pojo attrs * change refs * add support for objects with toJson method Rich-Harris#1
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Say you're server-rendering a page and want to serialize some state, which could include user input.
JSON.stringify
doesn't protect against XSS attacks:That would result in this...
...which would obviously load a script from evil.com.
The same is true of
devalue
. We should be able to prevent those attacks by replacing any instance of</
with<\u002f
, though I'd love for someone else to tell me if I'm right about that.The text was updated successfully, but these errors were encountered: