From 8c586a3b6cde23b635b0e9060150f27f239a8c14 Mon Sep 17 00:00:00 2001
From: Sasha Aickin <sasha@aickin.com>
Date: Wed, 30 Oct 2024 18:20:13 -0400
Subject: [PATCH] Added documentation about potential XSS in router.push
 (#71645)

<!-- Thanks for opening a PR! Your contribution is much appreciated.
To make sure your PR is handled as smoothly as possible we request that
you follow the checklist sections below.
Choose the right checklist for the change(s) that you're making:

## For Contributors

### Improving Documentation

- Run `pnpm prettier-fix` to fix formatting issues before opening the
PR.
- Read the Docs Contribution Guide to ensure your contribution follows
the docs guidelines:
https://nextjs.org/docs/community/contribution-guide

### Adding or Updating Examples

- The "examples guidelines" are followed from our contributing doc
https://github.com/vercel/next.js/blob/canary/contributing/examples/adding-examples.md
- Make sure the linting passes by running `pnpm build && pnpm lint`. See
https://github.com/vercel/next.js/blob/canary/contributing/repository/linting.md

### Fixing a bug

- Related issues linked using `fixes #number`
- Tests added. See:
https://github.com/vercel/next.js/blob/canary/contributing/core/testing.md#writing-tests-for-nextjs
- Errors have a helpful link attached, see
https://github.com/vercel/next.js/blob/canary/contributing.md

### Adding a feature

- Implements an existing feature request or RFC. Make sure the feature
request has been accepted for implementation before opening a PR. (A
discussion must be opened, see
https://github.com/vercel/next.js/discussions/new?category=ideas)
- Related issues/discussions are linked using `fixes #number`
- e2e tests added
(https://github.com/vercel/next.js/blob/canary/contributing/core/testing.md#writing-tests-for-nextjs)
- Documentation added
- Telemetry added. In case of a feature if it's used or not.
- Errors have a helpful link attached, see
https://github.com/vercel/next.js/blob/canary/contributing.md


## For Maintainers

- Minimal description (aim for explaining to someone not on the team to
understand the PR)
- When linking to a Slack thread, you might want to share details of the
conclusion
- Link both the Linear (Fixes NEXT-xxx) and the GitHub issues
- Add review comments if necessary to explain to the reviewer the logic
behind a change

### What?

### Why?

### How?

Closes NEXT-
Fixes #

-->
### What?
Currently, the `router.push` method does not sanitize URL arguments,
which can cause cross-site scripting (XSS) bugs in next.js sites through
the running of untrusted code in a JavaScript URL. This was reported as
#50093 and was closed, with an explanation that it is the developer's
responsibility to sanitize `router.push` input. This PR is an addition
to the next.js docs to document that issue and let developers know that
they cannot send untrusted or unsanitized URLs into `router.push`.

### Why?
Cross-site scripting bugs can be quite high severity, as they often
allow attackers to steal credentials and data. Furthermore, the API most
similar to `router.push` in the web API, `history.pushState`, does not
accept JavaScript URLs, so developers might reasonably not know that
they need to sanitize `router.push` input. Searching through public
github repos finds more than 1,000 projects that may be vulnerable to
this issue, so I believe it's a pretty widespread misunderstanding of
the API.
---
 docs/02-app/02-api-reference/04-functions/use-router.mdx | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/02-app/02-api-reference/04-functions/use-router.mdx b/docs/02-app/02-api-reference/04-functions/use-router.mdx
index 630b43c566c10..f4a167eca8339 100644
--- a/docs/02-app/02-api-reference/04-functions/use-router.mdx
+++ b/docs/02-app/02-api-reference/04-functions/use-router.mdx
@@ -50,6 +50,7 @@ export default function Page() {
 
 > **Good to know**:
 >
+> - You must not send untrusted or unsanitized URLs to `router.push` or `router.replace`, as this can open your site to cross-site scripting (XSS) vulnerabilities. For example, `javascript:` URLs sent to `router.push` or `router.replace` will be executed in the context of your page.
 > - The `<Link>` component automatically prefetch routes as they become visible in the viewport.
 > - `refresh()` could re-produce the same result if fetch requests are cached. Other Dynamic APIs like `cookies` and `headers` could also change the response.