Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[XSS] Ignore case of blacklisted HTML elements #247

Merged
merged 2 commits into from
May 29, 2019
Merged

[XSS] Ignore case of blacklisted HTML elements #247

merged 2 commits into from
May 29, 2019

Conversation

jakelazaroff
Copy link
Contributor

Right now, you can inject script and style tags by using uppercase letters, e.g. <SCRIPT>alert('hi')</SCRIPT>. This PR converts tag names to lowercase before evaluating against the blacklist.

quantizor
quantizor approved these changes May 8, 2019
View reviewed changes
Copy link
Owner

@quantizor quantizor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, thanks

@quantizor
Copy link
Owner

Need to get CI passing though

@codecov
Copy link

codecov bot commented May 8, 2019

Codecov Report

Merging #247 into master will increase coverage by <.01%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #247      +/-   ##
==========================================
+ Coverage   99.72%   99.72%   +<.01%     
==========================================
  Files           1        1              
  Lines         363      364       +1     
  Branches       57       57              
==========================================
+ Hits          362      363       +1     
  Misses          1        1
Impacted Files Coverage Δ
index.js 99.72% <100%> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9570018...8ee8010. Read the comment docs.

1 similar comment
@codecov
Copy link

codecov bot commented May 8, 2019
edited
Loading

Codecov Report

Merging #247 into master will increase coverage by <.01%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #247      +/-   ##
==========================================
+ Coverage   99.72%   99.72%   +<.01%     
==========================================
  Files           1        1              
  Lines         363      364       +1     
  Branches       57       57              
==========================================
+ Hits          362      363       +1     
  Misses          1        1
Impacted Files Coverage Δ
index.js 99.72% <100%> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9570018...8ee8010. Read the comment docs.

@jakelazaroff
Copy link
Contributor Author

@probablyup Sorry, missed that test. Not sure why it only works when I pass the lowercase tag name but should be fixed now.

@jakelazaroff jakelazaroff mentioned this pull request May 8, 2019
Open
@keithkade
Copy link

Anything else blocking this fix? Snyk recently started flagging for XSS vulnerability.

@quantizor quantizor merged commit dab7b5d into quantizor:master May 29, 2019
@quantizor
Copy link
Owner

Thanks!

This was referenced Mar 12, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@quantizor quantizor quantizor approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jakelazaroff @quantizor @keithkade