Added documentation about potential XSS in router.push #71645
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Allow CI Workflow Run
Note: this should only be enabled once the PR is ready to go and can only be enabled by a maintainer |
|
Update: I realized last night that this XSS issue might also apply to |
ijjk
reviewed
Oct 29, 2024
ijjk
approved these changes
Oct 30, 2024
stipsan
pushed a commit
to sanity-io/next.js
that referenced
this pull request
Nov 6, 2024
<!-- Thanks for opening a PR! Your contribution is much appreciated. To make sure your PR is handled as smoothly as possible we request that you follow the checklist sections below. Choose the right checklist for the change(s) that you're making: ## For Contributors ### Improving Documentation - Run `pnpm prettier-fix` to fix formatting issues before opening the PR. - Read the Docs Contribution Guide to ensure your contribution follows the docs guidelines: https://nextjs.org/docs/community/contribution-guide ### Adding or Updating Examples - The "examples guidelines" are followed from our contributing doc https://github.com/vercel/next.js/blob/canary/contributing/examples/adding-examples.md - Make sure the linting passes by running `pnpm build && pnpm lint`. See https://github.com/vercel/next.js/blob/canary/contributing/repository/linting.md ### Fixing a bug - Related issues linked using `fixes #number` - Tests added. See: https://github.com/vercel/next.js/blob/canary/contributing/core/testing.md#writing-tests-for-nextjs - Errors have a helpful link attached, see https://github.com/vercel/next.js/blob/canary/contributing.md ### Adding a feature - Implements an existing feature request or RFC. Make sure the feature request has been accepted for implementation before opening a PR. (A discussion must be opened, see https://github.com/vercel/next.js/discussions/new?category=ideas) - Related issues/discussions are linked using `fixes #number` - e2e tests added (https://github.com/vercel/next.js/blob/canary/contributing/core/testing.md#writing-tests-for-nextjs) - Documentation added - Telemetry added. In case of a feature if it's used or not. - Errors have a helpful link attached, see https://github.com/vercel/next.js/blob/canary/contributing.md ## For Maintainers - Minimal description (aim for explaining to someone not on the team to understand the PR) - When linking to a Slack thread, you might want to share details of the conclusion - Link both the Linear (Fixes NEXT-xxx) and the GitHub issues - Add review comments if necessary to explain to the reviewer the logic behind a change ### What? ### Why? ### How? Closes NEXT- Fixes # --> ### What? Currently, the `router.push` method does not sanitize URL arguments, which can cause cross-site scripting (XSS) bugs in next.js sites through the running of untrusted code in a JavaScript URL. This was reported as vercel#50093 and was closed, with an explanation that it is the developer's responsibility to sanitize `router.push` input. This PR is an addition to the next.js docs to document that issue and let developers know that they cannot send untrusted or unsanitized URLs into `router.push`. ### Why? Cross-site scripting bugs can be quite high severity, as they often allow attackers to steal credentials and data. Furthermore, the API most similar to `router.push` in the web API, `history.pushState`, does not accept JavaScript URLs, so developers might reasonably not know that they need to sanitize `router.push` input. Searching through public github repos finds more than 1,000 projects that may be vulnerable to this issue, so I believe it's a pretty widespread misunderstanding of the API.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What?
Currently, the
router.pushmethod does not sanitize URL arguments, which can cause cross-site scripting (XSS) bugs in next.js sites through the running of untrusted code in a JavaScript URL. This was reported as #50093 and was closed, with an explanation that it is the developer's responsibility to sanitizerouter.pushinput. This PR is an addition to the next.js docs to document that issue and let developers know that they cannot send untrusted or unsanitized URLs intorouter.push.Why?
Cross-site scripting bugs can be quite high severity, as they often allow attackers to steal credentials and data. Furthermore, the API most similar to
router.pushin the web API,history.pushState, does not accept JavaScript URLs, so developers might reasonably not know that they need to sanitizerouter.pushinput. Searching through public github repos finds more than 1,000 projects that may be vulnerable to this issue, so I believe it's a pretty widespread misunderstanding of the API.