-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[fix] xss issue with dynamic route paths #2597
Conversation
🦋 Changeset detectedLatest commit: 4c32be2 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
||
test('no xss via query param', `/xss/query?key=${uri_xss_payload}`, async ({ page }) => { | ||
// @ts-expect-error - check global injected variable | ||
assert.ok(!(await page.evaluate(() => window.pnwed)), 'pwned'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry for the drive-by comment, but this is testing the wrong condition due to a typo. The XSS injection would set window.pwned
but the two assertions are looking for window.pnwed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! It looks like there are other things going on here besides just the typo, so I've opened issue #2648 for fixing this test.
fix #2596
uses try_serialize as suggested by @Conduitry , includes testcase that fails without this fix
Before submitting the PR, please make sure you do the following
Tests
pnpm test
and lint the project withpnpm lint
andpnpm check
Changesets
pnpx changeset
and following the prompts. All changesets should bepatch
until SvelteKit 1.0