Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Serialize URL string contents to prevent XSS #173

Merged
merged 1 commit into from
Jan 9, 2024

Conversation

rrdelaney
Copy link
Contributor

I confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.

Fixes #172 by implementing @redonkulus's excellent suggestion. Additionally updates the tests to expect the newly encoded URL values, and adds a new test to ensure the serialized output does not contain any unsafe characters.

Thanks again to @redonkulus for finding and suggesting the fix!

Copy link
Collaborator

@redonkulus redonkulus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great, thanks for the quick PR!

@redonkulus redonkulus merged commit f27d65d into yahoo:main Jan 9, 2024
2 checks passed
@redonkulus
Copy link
Collaborator

redonkulus commented Jan 9, 2024

New version with the fix published https://github.com/yahoo/serialize-javascript/releases/tag/v6.0.2. Thanks again!

@cebarks
Copy link

cebarks commented Sep 25, 2024

Hi there @redonkulus, I work in Red Hat Product Security and this came across my desk. As it looks CVE worthy, I was wondering if there was ever a CVE assigned for this issue? If not, we (Red Hat) can assist in that process if needed.

@abhraj26
Copy link

abhraj26 commented Oct 4, 2024

@redonkulus : Can you please reach out to Github for CVE assignment like you did for CVE-2019-16769 for the same issue .

@cebarks
Copy link

cebarks commented Nov 26, 2024

I've assigned CVE-2024-11831 from Red Hat's pool to track this as I never got a response to the above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Security vulnerability for non-HTTP URLs
4 participants