Refined-github: Audit extension for XSS vulns
https://github.com/sindresorhus/refined-github/pull/269#issuecomment-233547355
We likely have more than just that 1. Note that the risk factor is lower than usual thanks to GitHub using a strict content security policy, but it's still worthwhile.
DrewML
All 4 comments
Yeah this seems like a good idea.
Maybe switching to "use strict;" in the javascript would ease up the issues? Though I haven't read all the source and don't know what unit testing this actually passes through, but a quick lint can help uncover issues pretty quickly.
devoxel
on 8 Sep 2016
It happened #510
Also relevant:
What you can do, if that's important to anyone here, is to review each string composition to make sure we're sanitizing the input, wherever necessary
https://github.com/sindresorhus/refined-github/issues/439#issuecomment-306419652
fregante
on 23 Jun 2017
Sanitized addReadmeButtons: #538
All over the extension we create elements via $('html') and similar methods. We should start restricting this HTML to our own strings and limit as much as possible user content.
Example:
domify(`<a class="one two" href="${ element.title }">${ name }`);
Becomes
a = domify('<a class="one two">');
a.href = element.title;
a.textContent = name
or
$('<a class="one two">', {
href: element.title,
text: name
})
Edit: continued on https://github.com/sindresorhus/refined-github/issues/539
fregante
on 25 Jun 2017
We're done here!
fregante
on 11 Jul 2017
Related issues
mareksuscak
路
3Comments
alexanderadam
路
3Comments
pawelad
路
3Comments
MilesBHuff
路
3Comments
hkdobrev
路
3Comments
Most helpful comment
We're done here!