-
Notifications
You must be signed in to change notification settings - Fork 960
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
push
on the history object returned by createBrowserHistory
can allow arbitrary JS execution
#850
Comments
@chaance we're currently using react-router v6 within a production SPA and this is listed as a vulnerability by our code scanning tool Sonatype Nexus IQ due to it being a transient dependency of react-router. Is there any plan to remediate this issue? |
I recently started using AuditJS and scanning my Ract18 libraries. I found this library is being flagged for Cross-Site Scripting (XSS) as mentioned by @zeusdeux in December of last year ...
Like @adrianzielonka asked back in April, is there any work being done to remediate this? |
Sanitize function courtesy of https://jonlabelle.com/snippets/view/javascript/sanitize-a-url-in-javascript
Couple years down the road on this, any update on this one? It is still being flagged by the Sonatype IQ Server as of v5.3.0 |
I found a vulnerability 1y before any tools found it? I am now Bot. |
Did anyone manage to resolve the Sonatype IQ Server flag? @mickelsonmichael @RundaScath @adrianzielonka @zeusdeux |
Hey folks!
If the input given to
push
is not sanitized, arbitrary JS can be executed in the user's context.We came across this issue originally in
@reach/router
but the same seems to exist in this package.The iOS 100 pushState calls limit fix is what causes this.
The browser correctly throws when the
url
given topushState
orreplaceState
containsjavascript:
which is caught by thiscatch
clause causingwindow.location.assign
to be used to update theurl
. This call isn't safe with unsanitized input and causes execution of JS.But why not sanitize your input you might ask? Sure. We missed a spot and have fixed it on our end.
Nevertheless, the
push
behaviour here circumvents the browser's security system and hence this report.Codesandbox with the reproduction
The text was updated successfully, but these errors were encountered: