Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

filterXxs shouldn't really be doing these type of 'black-list' transformations #28

DinisCruz opened this issue Dec 13, 2014 · 1 comment


Copy link

@DinisCruz DinisCruz commented Dec 13, 2014

I was looking at your tests and noticed which uses filterXss form

For example a playload flie onmouseover=alert(42) will pass that filter (and there are tons of other xss corner cases, see for a nice list)

In case it help, here is a good XSS reference:

Copy link

@deepstreamIO deepstreamIO commented Dec 14, 2014

agreed - and good timing as well. I've just released version 1.0.6 that changes the mechanism by which configuration is passed to new windows from url parameters to localStorage. The only thing that's appended to the URL is the key to the localStorage entry. This should hopefully close the attack vector created by parsing data from the URL in a way more solid fashion than any XSS filtering ever could.

Please re-open the issue if there are still vulnerabilities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant