Universal example has xss vulnerability #1855

brigand · 2016-07-19T06:05:57Z

Say the initial state is {"foo":"some string"}, you're fine, but if it's is {"foo":"</script><script>alert('xss')</script><script>"} then you're screwed.

Not an issue if you're sure it's an integer, but I've seen people use this exact pattern in other places where it could cause serious issues, so best to get it right in a common point of reference.

A simple solution is to escape the <s, but not sure if there's a better way to do it.

window.__PRELOADED_STATE__ = ${JSON.stringify(preloadedState).replace(/</g, '\\x3c')}

The text was updated successfully, but these errors were encountered:

steida · 2016-07-23T23:03:35Z

Use serialize-javascript. Example: https://github.com/este/este/blob/443b78e894d0aa5c666b3df8a60b6bfd2397c7d3/src/server/frontend/render.js#L48

)

brigand added a commit to brigand/redux that referenced this issue Jul 19, 2016

fixes xss vulnerability in universal example, reduxjs#1855

25f0b8a

brigand mentioned this issue Jul 19, 2016

fixes xss vulnerability in universal example, #1855 #1856

Merged

timdorr pushed a commit that referenced this issue Jul 19, 2016

fixes xss vulnerability in universal example, #1855 (#1856)

47a3fa8

timdorr closed this as completed Jul 19, 2016

seantcoyote pushed a commit to seantcoyote/redux that referenced this issue Jan 14, 2018

fixes xss vulnerability in universal example, reduxjs#1855 (reduxjs#1856

081d78d

)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Universal example has xss vulnerability #1855

Universal example has xss vulnerability #1855

brigand commented Jul 19, 2016

steida commented Jul 23, 2016

Uh oh!

Uh oh!

Universal example has xss vulnerability #1855

Universal example has xss vulnerability #1855

Comments

brigand commented Jul 19, 2016

steida commented Jul 23, 2016

Uh oh!