Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
fix(refinementList): prevent XSS via routing #4344
There's a security issue with the
Why this is an issue
Why this happens
We use triple braces in the template because when SFFV (Searching For Facet Values), we highlight the matches with HTML tags. This specific case is not as dangerous because we don't synchronize the SFFV values in the URL.
We can switch to using
We therefore conditionally use the "dangerous" value when it cannot come from the URL.
This solution is the one that I think will be the less transparent for users. Very few (if not none) users must rely on facet values containing HTML and the triple brace Hogan syntax. If so, this fix is more important than considering this as a breaking change to speed up the adoption of the next minor version. We'll therefore be explicit about this security fix in the changelog if ever it breaks some apps, which again, is very unlikely.
We should be more careful with values generated from the URL. This will also be true with values injected in the UI state more generally. We should think about rejecting values that cannot happen, since you're not supposed to be able to generate facet values via the URL. This is out of scope for now.
We can delay the documentation for this new