You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
lib/rack/rewrite/rule.rb#redirect_message - this method is passing location as is into a link. Suppose that location contains something like #"><script>alert(1)</script>, then resulting body will be Redirecting to <a href="#"><script>alert(1)</script>">#"><script>alert(1)</script></a>. Not all browsers will evaluate response body, but this is still possible.
Solution: do not place that link at all. You can argue that the link should be properly escaped before passing to rack-rewrite, but people tend to make mistakes and the lib should not make it worse.
Better solution: provide a hook to override that short template and by default do not include the link.
The text was updated successfully, but these errors were encountered:
lib/rack/rewrite/rule.rb#redirect_message - this method is passing location as is into a link. Suppose that location contains something like
#"><script>alert(1)</script>
, then resulting body will beRedirecting to <a href="#"><script>alert(1)</script>">#"><script>alert(1)</script></a>
. Not all browsers will evaluate response body, but this is still possible.Solution: do not place that link at all. You can argue that the link should be properly escaped before passing to rack-rewrite, but people tend to make mistakes and the lib should not make it worse.
Better solution: provide a hook to override that short template and by default do not include the link.
The text was updated successfully, but these errors were encountered: