Fix/xss #6403
Merged
Fix/xss #6403
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This allowed a possible XSS by naming a file in a particular way on your device.
…query This would allow XSS through a very simple phishing attack
|
I just looked at your PR and yes! This is essential. I am releasing a new version right away. Thank you soooo much!!! |
|
I see |
|
Oh oops, you're right. I had originally intended on adding an express.use function to clean req.query, but I changed the implementation. Thought I had removed that. It definitely does not need to be there. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Did some fixes for possible XSS injections.
First: A filename could be constructed such that, when a user edits the file, it will execute a script. This was caused by the default page not doing HTML escape on some filenames.
Second: Fixed an injection possibility regarding query params. One could construct a URL like:
https://localhost/meshagents?key="><script>alert(1)</script><a+Or, in tricky mode:
Click here to pwn yourself
I added EncodeURIComponent for most uses of req.query in webserver.js, but I can't guarantee I got them all.