Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added documentation about potential XSS in router.push (#71645)
<!-- Thanks for opening a PR! Your contribution is much appreciated. To make sure your PR is handled as smoothly as possible we request that you follow the checklist sections below. Choose the right checklist for the change(s) that you're making: ## For Contributors ### Improving Documentation - Run `pnpm prettier-fix` to fix formatting issues before opening the PR. - Read the Docs Contribution Guide to ensure your contribution follows the docs guidelines: https://nextjs.org/docs/community/contribution-guide ### Adding or Updating Examples - The "examples guidelines" are followed from our contributing doc https://github.com/vercel/next.js/blob/canary/contributing/examples/adding-examples.md - Make sure the linting passes by running `pnpm build && pnpm lint`. See https://github.com/vercel/next.js/blob/canary/contributing/repository/linting.md ### Fixing a bug - Related issues linked using `fixes #number` - Tests added. See: https://github.com/vercel/next.js/blob/canary/contributing/core/testing.md#writing-tests-for-nextjs - Errors have a helpful link attached, see https://github.com/vercel/next.js/blob/canary/contributing.md ### Adding a feature - Implements an existing feature request or RFC. Make sure the feature request has been accepted for implementation before opening a PR. (A discussion must be opened, see https://github.com/vercel/next.js/discussions/new?category=ideas) - Related issues/discussions are linked using `fixes #number` - e2e tests added (https://github.com/vercel/next.js/blob/canary/contributing/core/testing.md#writing-tests-for-nextjs) - Documentation added - Telemetry added. In case of a feature if it's used or not. - Errors have a helpful link attached, see https://github.com/vercel/next.js/blob/canary/contributing.md ## For Maintainers - Minimal description (aim for explaining to someone not on the team to understand the PR) - When linking to a Slack thread, you might want to share details of the conclusion - Link both the Linear (Fixes NEXT-xxx) and the GitHub issues - Add review comments if necessary to explain to the reviewer the logic behind a change ### What? ### Why? ### How? Closes NEXT- Fixes # --> ### What? Currently, the `router.push` method does not sanitize URL arguments, which can cause cross-site scripting (XSS) bugs in next.js sites through the running of untrusted code in a JavaScript URL. This was reported as #50093 and was closed, with an explanation that it is the developer's responsibility to sanitize `router.push` input. This PR is an addition to the next.js docs to document that issue and let developers know that they cannot send untrusted or unsanitized URLs into `router.push`. ### Why? Cross-site scripting bugs can be quite high severity, as they often allow attackers to steal credentials and data. Furthermore, the API most similar to `router.push` in the web API, `history.pushState`, does not accept JavaScript URLs, so developers might reasonably not know that they need to sanitize `router.push` input. Searching through public github repos finds more than 1,000 projects that may be vulnerable to this issue, so I believe it's a pretty widespread misunderstanding of the API.
- Loading branch information
