Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix] xss issue with dynamic route paths #2597

Merged
merged 7 commits into from
Oct 13, 2021
Merged

[fix] xss issue with dynamic route paths #2597

merged 7 commits into from
Oct 13, 2021

Conversation

dominikg
Copy link
Member

@dominikg dominikg commented Oct 13, 2021
edited
Loading

fix #2596

uses try_serialize as suggested by @Conduitry , includes testcase that fails without this fix

Before submitting the PR, please make sure you do the following

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpx changeset and following the prompts. All changesets should be patch until SvelteKit 1.0

@changeset-bot
Copy link

changeset-bot bot commented Oct 13, 2021
edited
Loading

🦋 Changeset detected

Latest commit: 4c32be2

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@dominikg dominikg changed the title test(routing): add testcases for xss in dynamic path and queryparams [fix] xss issue with dynamic route paths Oct 13, 2021
@Conduitry Conduitry merged commit 4bfeb8f into sveltejs:master Oct 13, 2021
@github-actions github-actions bot mentioned this pull request Oct 13, 2021
Merged
dennisjlee
dennisjlee reviewed Oct 19, 2021
View reviewed changes
packages/kit/test/apps/basics/src/routes/xss/_tests.js

test('no xss via query param', `/xss/query?key=${uri_xss_payload}`, async ({ page }) => {
// @ts-expect-error - check global injected variable
assert.ok(!(await page.evaluate(() => window.pnwed)), 'pwned');
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry for the drive-by comment, but this is testing the wrong condition due to a typo. The XSS injection would set window.pwned but the two assertions are looking for window.pnwed

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! It looks like there are other things going on here besides just the typo, so I've opened issue #2648 for fixing this test.

@Conduitry Conduitry mentioned this pull request Oct 20, 2021
Closed
@Conduitry Conduitry mentioned this pull request Sep 22, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dennisjlee dennisjlee dennisjlee left review comments

@Conduitry Conduitry Conduitry approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

XSS in hydration script using server-side prop values
3 participants
@dominikg @dennisjlee @Conduitry