New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(FEC-11791): share url has cross-site scripting vulnerability #4255
Conversation
Live Pull Request Urls
|
| @@ -616,7 +616,7 @@ | |||
| res = document.URL; | |||
| } | |||
| } | |||
| return res; | |||
| return kWidget.sanitize(decodeURIComponent(res)); | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we need to encode the url again?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no, the decodeURIComponent replaces each escape sequence in the encoded with the character that it represents in ascii. if it's not an escaping char, it moves on. for example:
https://www.kaltura.com/.../embed/dynamic?%22%3E%3Cimg%20src=x%20onerror=prompt(4)%3E
would turn into:
https://www.kaltura.com/.../embed/dynamic?">
by doing so, the sanitizer would be able to replace any escaping chars with empty strings. without that decoding stage, sanitizer won't work in cases where there is encoded uri. if the uri is not encoded (most cases), the decoder does nothing and returns the uri string as-is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think encode it again it safer. if it was encoded we have to keep it encoded. if not we just encode the url, what the side effect? @OrenMe wdyt?
|
@OrenMe please take a look on this PR |
Updated pull request 4255: b3f6f0d
|
1 similar comment
Updated pull request 4255: b3f6f0d
|
description of the issue:
when share plugin is enabled for the player, the share url is not being sanitized, which exposes a security vulnerability.
the solution:
sanitizing encoded and decoded share url.
Solves FEC-11791