You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
agreed - and good timing as well. I've just released version 1.0.6 that changes the mechanism by which configuration is passed to new windows from url parameters to localStorage. The only thing that's appended to the URL is the key to the localStorage entry. This should hopefully close the attack vector created by parsing data from the URL in a way more solid fashion than any XSS filtering ever could.
Please re-open the issue if there are still vulnerabilities.
I was looking at your tests and noticed https://github.com/hoxton-one/golden-layout/blob/aece036424acf3460d58b06ba1f9fd2108484351/test/xss_tests.js#L2 which uses filterXss form https://github.com/hoxton-one/golden-layout/blob/aece036424acf3460d58b06ba1f9fd2108484351/src/js/utils/utils.js#L153
For example a playload flie
onmouseover=alert(42)
will pass that filter (and there are tons of other xss corner cases, see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet for a nice list)In case it help, here is a good XSS reference: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
The text was updated successfully, but these errors were encountered: