We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
if you have route with params, then you are vulnerable to xss injection
http://localhost:3000/page/foobar%3C!--t7g0a%3C%2fscript%3E%3Cscript%3Ealert(1337)%3C%2fscript%3Easdasda
this page will return create a script tag on the page that will execute on the browser side and can steal user data
this works by passing the "hydrate.page.params.foobar" object to the client side
hydrate.page.params.foobar
@sveltejs/adapter-node
No response
System: OS: macOS 12.0.1 CPU: (8) arm64 Apple M1 Memory: 114.48 MB / 16.00 GB Shell: 5.8 - /bin/zsh Binaries: Node: 16.11.0 - /usr/local/bin/node npm: 8.0.0 - /usr/local/bin/npm Browsers: Chrome: 96.0.4664.55 Firefox: 92.0 Safari: 15.1 npmPackages: @sveltejs/adapter-node: ^1.0.0-next.45 => 1.0.0-next.45 @sveltejs/kit: ^1.0.0-next.156 => 1.0.0-next.156
blocking all usage of SvelteKit
The text was updated successfully, but these errors were encountered:
not relevant sorry)
Sorry, something went wrong.
No branches or pull requests
Describe the bug
if you have route with params, then you are vulnerable to xss injection
http://localhost:3000/page/foobar%3C!--t7g0a%3C%2fscript%3E%3Cscript%3Ealert(1337)%3C%2fscript%3Easdasda
this page will return create a script tag on the page that will execute on the browser side and can steal user data
this works by passing the "
hydrate.page.params.foobar
" object to the client sideReproduction
@sveltejs/adapter-node
Logs
No response
System Info
Severity
blocking all usage of SvelteKit
Additional Information
No response
The text was updated successfully, but these errors were encountered: