Fix XSS potential #5157
Fix XSS potential #5157
Conversation
trim and lowercase hrefs
❌ Deploy Preview for tiptap-embed failed.
|
|
@svenadlung @bdbch it's paramount that these changes be integrated as quickly as feasible to resolve XSS potential. I didn't see any way to prevent parsing |
|
Not sure what mistake I've made in this PR that has it failing. Can anyone advise? Despite the high priority of this issue, our editor isn't even ready to ship, so I won't have much more time to work on this issue. |
|
@Nantris happy to get his merged and released ASAP. The test failing is because the I think you'd need to do a typecheck beforehand. |
| return [{ | ||
| tag: 'a[href]', | ||
| getAttrs: dom => { | ||
| const href = dom.getAttribute('href') |
There was a problem hiding this comment.
I think here we need a typecheck as dom apparently can also be a string (at least typescript says so) so you can't get the href directly from a string object as getAttribute does not exist
|
We resolved this with #5160 |
|
But we appreciate your contribution, your work was helpful in the final fix. We did this a bit strangely because of the multiple PRs and the urgency of it |
|
Glad it's taken care of! Thanks for the quick action and words of appreciation. |
Changes Overview
Fix XSS potential
Implementation Approach
Trim and lowercase href before comparing. Rely on getAttrs instead of CSS selector.
Testing Done
None
Verification Steps
Additional Notes
Given that this potential was already overlooked, it's essential that these changes be tested and examined more vigorously by the core team than they were in the past.
Sample case which previously allowed XSS (due to leading spaces and due to differences in capitalization): https://codesandbox.io/p/sandbox/sharp-hill-6k846v?file=%2Fsrc%2FApp.js%3A21%2C28
Checklist
feat: Implement new featureorchore(deps): Update dependencies)Related Issues
#3673