New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent XSS in the cookie attributes #400
Conversation
306d4e2
to
7804f21
Compare
#370 (comment) might help to recover these bytes, though... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are able to save more bytes... with the proposed change we get +6 gzipped.
src/js.cookie.js
Outdated
// not including, the first %x3B (";") character. | ||
// ... | ||
attributes[attributeName] = attributes[attributeName].split(';')[0]; | ||
|
||
stringifiedAttributes += '=' + attributes[attributeName]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could write
stringifiedAttributes += '=' + attributes[attributeName].split(';')[0];
and save some more bytes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, unless attributes[attributeName]
were needed afterwards for some other processing... but it doesn't look like it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea! Done.
Looking through the code, I found at least one opportunity to reduce bytes, there might be more: key = encodeURIComponent(String(key));
key = key.replace(/%(23|24|26|2B|5E|60|7C)/g, decodeURIComponent);
key = key.replace(/[\(\)]/g, escape); => key = encodeURIComponent(String(key))
.replace(/%(23|24|26|2B|5E|60|7C)/g, decodeURIComponent)
.replace(/[\(\)]/g, escape); I'm going to prepare a PR for it. |
X-Ref: #401 |
Haha, so I'll have to find a way to get rid of 1 more byte... |
We have 22 on the plus side now... |
hi, I look at the code in the process, encountered a question, but also ask edify ing on the . I can understand this line of code in this function, but I don't understand why you're splitting up.
attributes are an option object that sets cookies, but the value value of this option object contains ';'' . For example, I write like this. const attributes = {
path: '/',
expires: 7,
}
Cookie.set('name', 'value', attributes) The value values of the attributes are '/' and 7, respectively, and do not contain ';'' the symbol, why split it. this makes me a little confused, I hope the big guy to tell you what you think. Thank you very much. |
@qiqingfu If you remove those lines, run the tests and debug, you'll find out why they're necessary. If no test fails, then that means that code is not necessary because we can (and we do) cover 100% of the use cases of js-cookie. There's also a comment in the code in the diff from this PR explaining why that piece eas necessary. |
Thank you very much for your answer, I found the reason in the test case. QUnit.test(
'sanitization of attributes to prevent XSS from untrusted input',
function (assert) {
assert.expect(1)
assert.strictEqual(
Cookies.set('c', 'v', {
path: '/;domain=sub.domain.com',
domain: 'site.com;remove_this',
customAttribute: 'value;;remove_this'
}),
'c=v; path=/; domain=site.com; customAttribute=value',
'should not allow semicolon in a cookie attribute'
)
}
) |
Honestly, I'm not happy with this +19 bytes gzipped:
X-Ref: #396