window.history.replaceState vulnerabilities potential in foundation.reveal

[abdulhamid-alattar]

What should happen?

What happens instead?

manipulation of browser history

Possible Solution

window.history.replaceState('', document.title, window.location.href.replace(#${this.id}, ''));
replace state shouldnt be assigned directly from the href url

Test Case and/or Steps to Reproduce

Test Case:
Discoverd by Burp Suite , you can manipulate the history by passing query string or hash

How to reproduce:
1.
2.
3.

Context

Your Environment

• Foundation version(s) used: 6.4.3
• Browser(s) name and version(s): chrome
• Operating System and version (desktop or mobile): mac

Checklist (all required):

• [yes ] I have read and follow the CONTRIBUTING.md document.
• [ yes] There are no other issues similar to this one.
• [yes ] The issue title is descriptive.
• [ yes] The template is correctly filled.

[DanielRuf]

window.history.replaceState('', document.title, window.location.href.replace(#${this.id}, ''));
replace state shouldnt be assigned directly from the href url

This is not a security vulnerability imho. Also this depends on the html and is the same way how it is done in other frameworks and libraries who do deeplinking.

[DanielRuf]

Discoverd by Burp Suite , you can manipulate the history by passing query string or hash

Not true as this is only controllable from the html, not in the browser url. Also this just replaces the URL.

[DanielRuf]

{this.id}

This is the id of the reveal.

[ncoden]

See remix-run/history#371

[DanielRuf]

We do not use the search param or any other user controlled value ;-)

I see no real security issue. Just a replacement with the id from the DOM.

[DanielRuf]

Closing as we did not receive any further information.