Skip to content
Permalink
Browse files Browse the repository at this point in the history
Improve XSS protection
Modern browsers treat the backslash as normal slashes when used in the URLs. So instead of using the hash value "#page://google.com", we can use "#page:/\google.com" to bypasses the XSS protection
  • Loading branch information
fvoordeckers committed Nov 29, 2017
1 parent e9aa040 commit 329eb1d
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion django_ajax/static/ajax-utilities/js/pagination.js
Expand Up @@ -52,8 +52,9 @@ var Pagination = new function() {

function ajax(url, handler) {
// URL should start with a slash, but cannot start with two slashes.
// we cannot start with "/\". Modern browsers handle backslashes as normal slashes.
// (Otherwise we have an XSS vulnerability.)
if (url[0] != '/' || url[1] == '/')
if (url[0] != '/' || url[1] == '/' || url.startsWith("/\\")
url = (''+location).replace( /[#\?].*/, '') + url;

// Append 'xhr' to make sure all content is loaded.
Expand Down

0 comments on commit 329eb1d

Please sign in to comment.