Refined-github: XSS

Created on 19 Jun 2017  路  4Comments  路  Source: sindresorhus/refined-github

The new linkify code opens us to XSS. My bad.

Open this to verify: https://github.com/bfred-it/sandbox/blob/master/test.js

The issue was passing a textContent to the linkifier (which could be the string "<img src='yo.jpg'>") and getting back HTML. Bang. XSS.

Fixed in https://github.com/sindresorhus/refined-github/commit/21fd5f059aaa015fe8a5f1554039125265b628f3 already because of the urgency.

Leaving this open for a bit as an advisory.

bug
Source
picture fregante
👍1

Most helpful comment

@bfred-it For such urgent fixes, a better way is to create a PR and merge it immediately. This way you still have run CI, you have generated notifications and a PR is easier for review even when merged.

picture hkdobrev on 19 Jun 2017
👍2

All 4 comments

I don't think your changes with XSS was released though, right?

sindresorhus picture sindresorhus on 19 Jun 2017

Correct. I just wanted to fix the master branch as fast as possible, even though it introduced a small bug: #511

fregante picture fregante on 19 Jun 2017
👍1

@bfred-it For such urgent fixes, a better way is to create a PR and merge it immediately. This way you still have run CI, you have generated notifications and a PR is easier for review even when merged.

hkdobrev picture hkdobrev on 19 Jun 2017
👍2

@hkdobrev thanks! Hopefully I won't find such urgent bugs anymore.

fregante picture fregante on 20 Jun 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

shivapoudel picture shivapoudel  路  3Comments
mareksuscak picture mareksuscak  路  3Comments
olso picture olso  路  3Comments
yakov116 picture yakov116  路  3Comments
hkdobrev picture hkdobrev  路  3Comments