Skip to content

fix: security fix for cross-site scripting (xss) #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 28, 2023
Merged

fix: security fix for cross-site scripting (xss) #1

merged 2 commits into from
Sep 28, 2023

Conversation

mikegioia
Copy link
Member

The form library suffered of a XSS issue, which was caused by 2 minor issues inside the code, which made possible the usage of eval on unsanitized values (inside the "override" of parseJSON) and html parsing on a unsanitized AJAX response.

The 2 issues have been fixed in the following way:

  1. The eval inside the parseJSON function has been removed, while it's been added a error which arises when the default $.parseJSON function (on jquery) isn't declared (anyone with good intentions would simply add the jquery script on the page and all works correctly again).
  2. The unsanitized AJAX response was previously passed to parseHTML without any check, making possible inject additional HTML. I used a peculiarity of jquery to translate the HTML nodes evaluated into text nodes, which are equal to HTML encoded entities. It can can be verified seeing this:
    image

@mikegioia mikegioia merged commit fa21072 into master Sep 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mikegioia