Fix xss vulnerability in origin save
25af062ce7df
Actions

Description

Fix xss vulnerability in origin save

Summary:
Related T1690
Added client side xss filter

Save code now is vulnerable to XSS attack.

Steps to reproduce-
Remove the validation from client side (with dev tools)
Enter this url in origin url
https://github.com/%3Cscript%3Ealert(document.domain);%3C/script%3E

We should add more validations at the server side to prevent such urls from entering into the database.

For server side validations, I was thinking of preventing regex /.*(%3C).*(%3E)/ and /.*(javascript:).*/ There may be a few more cases we need to take care of.

Or should we check if the url returns 200 or not before entering it to the table.

Reviewers: Reviewers, anlambert

Reviewed By: Reviewers, anlambert

Subscribers: anlambert, vlorentz

Differential Revision: https://forge.softwareheritage.org/D1433

Details

Provenance

kalpitk	Authored on Apr 26 2019, 10:27 PM
kalpitk	Pushed on Apr 27 2019, 10:40 AM

Reviewer

Reviewers

Differential Revision

Restricted Differential Revision

Build Status

Buildable 5552
Build 7554: test-and-build

Event Timeline

kalpitk committed rDWAPPS25af062ce7df: Fix xss vulnerability in origin save (authored by kalpitk).Apr 27 2019, 10:40 AM

Harbormaster completed building B5552: rDWAPPS25af062ce7df: Fix xss vulnerability in origin save.Apr 27 2019, 10:45 AM

Commit No Longer Exists

This commit no longer exists in the repository.