Prevent XSS in the cookie attributes #400
Conversation
FagnerMartinsBrack
force-pushed
the
prevent-xss-path
branch
from
306d4e2
to
7804f21
Compare
|
#370 (comment) might help to recover these bytes, though... |
src/js.cookie.js
Outdated
| // not including, the first %x3B (";") character. | ||
| // ... | ||
| attributes[attributeName] = attributes[attributeName].split(';')[0]; | ||
|
|
||
| stringifiedAttributes += '=' + attributes[attributeName]; |
There was a problem hiding this comment.
We could write
stringifiedAttributes += '=' + attributes[attributeName].split(';')[0];and save some more bytes.
There was a problem hiding this comment.
Well, unless attributes[attributeName] were needed afterwards for some other processing... but it doesn't look like it.
There was a problem hiding this comment.
Good idea! Done.
|
Looking through the code, I found at least one opportunity to reduce bytes, there might be more: key = encodeURIComponent(String(key));
key = key.replace(/%(23|24|26|2B|5E|60|7C)/g, decodeURIComponent);
key = key.replace(/[\(\)]/g, escape);=> key = encodeURIComponent(String(key))
.replace(/%(23|24|26|2B|5E|60|7C)/g, decodeURIComponent)
.replace(/[\(\)]/g, escape);I'm going to prepare a PR for it. |
X-Ref: #401 |
FagnerMartinsBrack
changed the title
|
Haha, so I'll have to find a way to get rid of 1 more byte... |
|
We have 22 on the plus side now... |
ghost
mentioned this pull request
|
hi, I look at the code in the process, encountered a question, but also ask edify ing on the . I can understand this line of code in this function, but I don't understand why you're splitting up.
attributes are an option object that sets cookies, but the value value of this option object contains ';'' . For example, I write like this. const attributes = {
path: '/',
expires: 7,
}
Cookie.set('name', 'value', attributes)The value values of the attributes are '/' and 7, respectively, and do not contain ';'' the symbol, why split it. this makes me a little confused, I hope the big guy to tell you what you think. Thank you very much. |
|
@qiqingfu If you remove those lines, run the tests and debug, you'll find out why they're necessary. If no test fails, then that means that code is not necessary because we can (and we do) cover 100% of the use cases of js-cookie. There's also a comment in the code in the diff from this PR explaining why that piece eas necessary. |
|
Thank you very much for your answer, I found the reason in the test case. QUnit.test(
'sanitization of attributes to prevent XSS from untrusted input',
function (assert) {
assert.expect(1)
assert.strictEqual(
Cookies.set('c', 'v', {
path: '/;domain=sub.domain.com',
domain: 'site.com;remove_this',
customAttribute: 'value;;remove_this'
}),
'c=v; path=/; domain=site.com; customAttribute=value',
'should not allow semicolon in a cookie attribute'
)
}
) |
Honestly, I'm not happy with this +19 bytes gzipped:
X-Ref: #396