Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
filterXxs shouldn't really be doing these type of 'black-list' transformations #28
I was looking at your tests and noticed https://github.com/hoxton-one/golden-layout/blob/aece036424acf3460d58b06ba1f9fd2108484351/test/xss_tests.js#L2 which uses filterXss form https://github.com/hoxton-one/golden-layout/blob/aece036424acf3460d58b06ba1f9fd2108484351/src/js/utils/utils.js#L153
For example a playload flie
In case it help, here is a good XSS reference: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
agreed - and good timing as well. I've just released version 1.0.6 that changes the mechanism by which configuration is passed to new windows from url parameters to localStorage. The only thing that's appended to the URL is the key to the localStorage entry. This should hopefully close the attack vector created by parsing data from the URL in a way more solid fashion than any XSS filtering ever could.
Please re-open the issue if there are still vulnerabilities.