Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Serialize URL string contents to prevent XSS #173

Merged
merged 1 commit into from
Jan 9, 2024
Merged

Serialize URL string contents to prevent XSS #173

merged 1 commit into from
Jan 9, 2024

Conversation

rrdelaney
Copy link
Contributor

I confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.

Fixes #172 by implementing @redonkulus's excellent suggestion. Additionally updates the tests to expect the newly encoded URL values, and adds a new test to ensure the serialized output does not contain any unsafe characters.

Thanks again to @redonkulus for finding and suggesting the fix!

redonkulus
redonkulus approved these changes Jan 9, 2024
View reviewed changes
Copy link
Collaborator

@redonkulus redonkulus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great, thanks for the quick PR!

@redonkulus redonkulus merged commit f27d65d into yahoo:main Jan 9, 2024
2 checks passed
@redonkulus
Copy link
Collaborator

redonkulus commented Jan 9, 2024
edited
Loading

New version with the fix published https://github.com/yahoo/serialize-javascript/releases/tag/v6.0.2. Thanks again!

@Omrisnyk Omrisnyk mentioned this pull request Jan 9, 2024
Open
@jrmhaig jrmhaig mentioned this pull request Jan 23, 2024
Closed
@claude-morningstar47 claude-morningstar47 mentioned this pull request Sep 8, 2024
Open
@cebarks
Copy link

cebarks commented Sep 25, 2024
edited
Loading

Hi there @redonkulus, I work in Red Hat Product Security and this came across my desk. As it looks CVE worthy, I was wondering if there was ever a CVE assigned for this issue? If not, we (Red Hat) can assist in that process if needed.

@abhraj26
Copy link

abhraj26 commented Oct 4, 2024

@redonkulus : Can you please reach out to Github for CVE assignment like you did for CVE-2019-16769 for the same issue .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@redonkulus redonkulus redonkulus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Security vulnerability for non-HTTP URLs
4 participants
@rrdelaney @redonkulus @cebarks @abhraj26