The X-XSS-Protection feature will block FormData #400
Comments
Ray0907
changed the title
|
Hey, this is n out implemented yet. Check out #364 But our XSS validator should support working with form data so I am open for extending it. Would you be interested in developing such feature? :) I can provide all help needed |
|
Awesome to hear @Ray0907 💚
So I suppose it will be somethings like this (pseudocode): Let me know if you need anything else, happy coding! |
@BaroshemI want to check content that isn't of file type, but it seems to be blocked by middleware. Are there any other codes or methods besides using an XSSValidator to block this content? |
|
Hey @Ray0907 Maybe other middleware is blocking this one. Not sure about it. You can try to disable middleware after another to see which one is blocking it. What response code do you get? |
|
I'm utilizing formidable to manage file uploads via a form. However, when I activate nuxt-security, the response remains pending until it times out. If I deactivate nuxt-security, it works fine. I've already verified that the validator value is the same as the one read from the body. |
|
Hey, thanks for the great work. I am having similar issue as @Ray0907
in both cases return When I deactivate the module everything works fine. |
|
I am not using basic auth, and to be honest I didn't do much debug as I needed to finish developing the feature. What I am using for auth is Thank you |
|
Awesome, Pleade let me know. I will try my best to help you :) |
|
Hi @Baroshem I managed to do some debugging and I can confirm that is the
import { AppwriteException } from 'appwrite'
import { joinURL } from 'ufo'
export default defineEventHandler(async (event) => {
const path = event.path.replace(/^\/api\//, '')
const target = joinURL('https://cloud.appwrite.io/v1', path)
try {
await proxyRequest(event, target)
} catch (error: any | unknown) {
if (error instanceof AppwriteException) {
throw createError({
statusCode: error.code,
statusMessage: error.message,
message: error.name
})
} else {
throw createError(error)
}
}
})
<script lang="ts" setup>
import { Client, Storage, ID } from 'appwrite'
const config = useRuntimeConfig()
const client = new Client()
.setEndpoint('http://localhost:4000/api')
.setProject(config.public.appwrite.projectId)
const storage = new Storage(client)
const file = ref<File | null>(null)
const uploadProgress = ref(0)
const onUploadFile = async ($event: Event) => {
const target = $event.target as HTMLInputElement
if (target && target.files) {
file.value = target.files[0]
try {
console.log('FILE', file.value)
const response = await storage.createFile(
config.public.appwrite.bucket,
ID.unique(),
file.value as File,
undefined,
(progress) => {
console.log('PROGRESS', progress)
uploadProgress.value = progress.progress
}
)
console.log('RESPONSE', response)
} catch (error: any) {
console.log(error)
}
}
}
</script>
<template>
<div>
index page
<form @submit.prevent="onUploadFile">
<input id="file" type="file" @change="onUploadFile($event)" />
<p>{{ uploadProgress.toFixed() }}</p>
</form>
</div>
</template>
Hope that helps :) |
|
Hey @samk-dev thanks for the reproduction! Yes so it seems that we need to update the existing XSS validator to support the form data as well. Thankfully, there is a PR open by @Ray0907 and I will review it shortly. For now, could you please make the xssValidator disabled for your app? I will try to release a new version with this support for XSS Validator for form data :) |
|
thank you folks for the effort :) I've already disabled the |
|
Hey! Using the latest version, I'm experiencing the same problem with formData, the request will not leave pending state. I'm trying to send some data and a file... |
How can I implement XSS protection with FormData because I need to upload files via a form? I've checked the xssValidator.mjs file in nuxt-security/dist/runtime/server/middleware, but it appears to only validate text.
The text was updated successfully, but these errors were encountered: