Cross-Site Scripting (XSS) : issue fix by sanitizing strings#1
Cross-Site Scripting (XSS) : issue fix by sanitizing strings#1JamieSlome merged 1 commit into418sec:masterfrom
Conversation
|
Hi @bbeale , @Mik317 , @mufeedvh , @mzfr , I'm aware that you guys are busy, and I really appreciate the work you guys have done and are doing. However, I'd like an input on this fix, about whether this one is adequate or a nod on the fact that this fix involves installing another package/library only for the sake of escaping some strings is the right way to go ahead. If anyone has some pointers on any other approach, please do let me know. It'd not only help me fix and close this one, but also for the similar other open issues. Keep up the good work! Cheers!! |
|
Congratulations d3v53c - your fix has been selected! 🎉 Thanks for being part of the community & helping secure the world's open source code. |
5 participants
📊 Metadata *
d2b is vulnerable to Cross-Site Scripting (XSS).
Bounty URL: https://www.huntr.dev/bounties/1-npm-d2b
⚙️ Description *
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
💻 Technical Description *
Cross-Site Scripting (XSS) attacks are mitigated by sanitizing the user inputs before rendering, thereby preventing malicious execution.
🐛 Proof of Concept (PoC) *
package.jsonhttps://codesandbox.io/s/d2b-pie-default-donut-demo-forked-seghw?file=/package.json:231-246 see the screenshots.{label: 'arc 1"><img src=x onerror=alert(1)>', value: 23},🔥 Proof of Fix (PoF) *
Before:
After:
👍 User Acceptance Testing (UAT)
After the fix, functionality is unaffected.