Skip to content

Commit 54271f6

Browse files
ctcpipUlisesGascon
ctcpip
and
UlisesGascon
committed
fix: don't render redirect values in anchor href
Co-authored-by: Ulises Gascón <[email protected]>
1 parent 125bb74 commit 54271f6

File tree

2 files changed

+22
-4
lines changed

2 files changed

+22
-4
lines changed

lib/response.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -969,7 +969,7 @@ res.redirect = function redirect(url) {
969969

970970
html: function(){
971971
var u = escapeHtml(address);
972-
body = '<p>' + statuses.message[status] + '. Redirecting to <a href="' + u + '">' + u + '</a></p>'
972+
body = '<p>' + statuses.message[status] + '. Redirecting to ' + u + '</p>'
973973
},
974974

975975
default: function(){

test/res.redirect.js

Lines changed: 21 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -106,7 +106,7 @@ describe('res', function(){
106106
.set('Accept', 'text/html')
107107
.expect('Content-Type', /html/)
108108
.expect('Location', 'http://google.com')
109-
.expect(302, '<p>Found. Redirecting to <a href="http://google.com">http://google.com</a></p>', done)
109+
.expect(302, '<p>Found. Redirecting to http://google.com</p>', done)
110110
})
111111

112112
it('should escape the url', function(done){
@@ -122,9 +122,27 @@ describe('res', function(){
122122
.set('Accept', 'text/html')
123123
.expect('Content-Type', /html/)
124124
.expect('Location', '%3Cla\'me%3E')
125-
.expect(302, '<p>Found. Redirecting to <a href="%3Cla&#39;me%3E">%3Cla&#39;me%3E</a></p>', done)
125+
.expect(302, '<p>Found. Redirecting to %3Cla&#39;me%3E</p>', done)
126126
})
127127

128+
it('should not render evil javascript links in anchor href (prevent XSS)', function(done){
129+
var app = express();
130+
var xss = 'javascript:eval(document.body.innerHTML=`<p>XSS</p>`);';
131+
var encodedXss = 'javascript:eval(document.body.innerHTML=%60%3Cp%3EXSS%3C/p%3E%60);';
132+
133+
app.use(function(req, res){
134+
res.redirect(xss);
135+
});
136+
137+
request(app)
138+
.get('/')
139+
.set('Host', 'http://example.com')
140+
.set('Accept', 'text/html')
141+
.expect('Content-Type', /html/)
142+
.expect('Location', encodedXss)
143+
.expect(302, '<p>Found. Redirecting to ' + encodedXss +'</p>', done);
144+
});
145+
128146
it('should include the redirect type', function(done){
129147
var app = express();
130148

@@ -137,7 +155,7 @@ describe('res', function(){
137155
.set('Accept', 'text/html')
138156
.expect('Content-Type', /html/)
139157
.expect('Location', 'http://google.com')
140-
.expect(301, '<p>Moved Permanently. Redirecting to <a href="http://google.com">http://google.com</a></p>', done);
158+
.expect(301, '<p>Moved Permanently. Redirecting to http://google.com</p>', done);
141159
})
142160
})
143161

0 commit comments

Comments
 (0)