Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sanitize javascript url to prevent XSS #80

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

gtsp233
Copy link

@gtsp233 gtsp233 commented Jan 20, 2024

Fix for Cross-Site Scripting (XSS) Vulnerability

I've identified a Cross-Site Scripting (XSS) vulnerability in this package.

Vulnerability Details:

  • Severity: High/Critical
  • Description: There's a risk of malicious script execution when the input to ClickToComponent is controlled by an attacker.

Steps to Reproduce:
In a React.js project:

import React from "react";
import ReactDOM from "react-dom/client";
import { ClickToComponent } from "click-to-react-component";

const root = ReactDOM.createRoot(document.getElementById("root"));

function App() {
  return (
    <ClickToComponent
      editor="javascript:alert(1);'"
      pathModifier={() => {
        return `'`;
      }}
    />
  );
}
root.render(<App />);

Then the malicious code alert(1) will be executed.

Suggested Fix or Mitigation:
It is best practice for a React.js component package to sanitize the URL before passing it to window.location.assign. React.js and many popular libraries such as react-router-dom and Next.js also ensure URL safety to prevent XSS. For instance, React.js issues warnings about URLs starting with javascript: and is planning to block these in future versions, as indicated in this pull request.

Using a whitelist to filter the "editor" props is also suggested.

I've already fixed and tested this issue, and have submitted a pull request with the necessary changes. Please review and merge my pull request to resolve this vulnerability. Thanks!

Copy link

changeset-bot bot commented Jan 20, 2024

⚠️ No Changeset found

Latest commit: eaba7f6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@alexgorbatchev
Copy link

I have published a fork which includes this PR https://github.com/alexgorbatchev/click-to-component-next

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants