terribleplan/next.js
1
0
Fork 0
mirror of https://github.com/terribleplan/next.js.git synced 2024-01-19 02:48:18 +00:00
Code Issues Releases Wiki Activity

Merge master into v3-beta.

Browse source
This commit is contained in:
Arunoda Susiripala 2017-06-07 11:43:05 +05:30
parent 8cb3e89455 7cd2bb69ea
commit 13a51e0a75
4 changed files with 28 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
package.json
View file

@ -96,7 +96,8 @@
"webpack": "2.6.0", "webpack": "2.6.0",
"webpack-dev-middleware": "1.10.2", "webpack-dev-middleware": "1.10.2",
"webpack-hot-middleware": "2.18.0", "webpack-hot-middleware": "2.18.0",
"write-file-webpack-plugin": "4.0.2" "write-file-webpack-plugin": "4.0.2",
"xss-filters": "1.2.7"
}, },
"devDependencies": { "devDependencies": {
"babel-eslint": "7.2.3", "babel-eslint": "7.2.3",

3
server/render.js
View file

@ -13,6 +13,7 @@ import Head, { defaultHead } from '../lib/head'
import App from '../lib/app' import App from '../lib/app'
import ErrorDebug from '../lib/error-debug' import ErrorDebug from '../lib/error-debug'
import { flushChunks } from '../lib/dynamic' import { flushChunks } from '../lib/dynamic'
import xssFilters from 'xss-filters'
export async function render (req, res, pathname, query, opts) { export async function render (req, res, pathname, query, opts) {
const html = await renderToHTML(req, res, pathname, opts) const html = await renderToHTML(req, res, pathname, opts)
@ -138,6 +139,8 @@ export async function renderScript (req, res, page, opts) {
export async function renderScriptError (req, res, page, error, customFields, opts) { export async function renderScriptError (req, res, page, error, customFields, opts) {
// Asks CDNs and others to not to cache the errored page // Asks CDNs and others to not to cache the errored page
res.setHeader('Cache-Control', 'no-store, must-revalidate') res.setHeader('Cache-Control', 'no-store, must-revalidate')
// prevent XSS attacks by filtering the page before printing it.
page = xssFilters.uriInSingleQuotedAttr(page)
if (error.code === 'ENOENT') { if (error.code === 'ENOENT') {
res.setHeader('Content-Type', 'text/javascript') res.setHeader('Content-Type', 'text/javascript')

20
test/integration/production/test/index.test.js
View file

@ -6,7 +6,8 @@ import {
nextBuild, nextBuild,
startApp, startApp,
stopApp, stopApp,
renderViaHTTP renderViaHTTP,
waitFor
} from 'next-test-utils' } from 'next-test-utils'
import webdriver from 'next-webdriver' import webdriver from 'next-webdriver'
import fetch from 'node-fetch' import fetch from 'node-fetch'
@ -59,4 +60,21 @@ describe('Production Usage', () => {
browser.close() browser.close()
}) })
}) })
describe('With XSS Attacks', () => {
it('should prevent URI based attaks', async () => {
const browser = await webdriver(appPort, '/\',document.body.innerHTML="HACKED",\'')
// Wait 5 secs to make sure we load all the client side JS code
await waitFor(5000)
const bodyText = await browser
.elementByCss('body').text()
if (/HACKED/.test(bodyText)) {
throw new Error('Vulnerable to XSS attacks')
}
browser.close()
})
})
}) })

4
yarn.lock
View file

@ -5526,6 +5526,10 @@ xml-name-validator@^2.0.1:
version "2.0.1" version "2.0.1"
resolved "https://registry.yarnpkg.com/xml-name-validator/-/xml-name-validator-2.0.1.tgz#4d8b8f1eccd3419aa362061becef515e1e559635" resolved "https://registry.yarnpkg.com/xml-name-validator/-/xml-name-validator-2.0.1.tgz#4d8b8f1eccd3419aa362061becef515e1e559635"
xss-filters@^1.2.7:
version "1.2.7"
resolved "https://registry.yarnpkg.com/xss-filters/-/xss-filters-1.2.7.tgz#59fa1de201f36f2f3470dcac5f58ccc2830b0a9a"
"xtend@>=4.0.0 <4.1.0-0", xtend@^4.0.0, xtend@^4.0.1: "xtend@>=4.0.0 <4.1.0-0", xtend@^4.0.0, xtend@^4.0.1:
version "4.0.1" version "4.0.1"
resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.1.tgz#a5c6d532be656e23db820efb943a1f04998d63af" resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.1.tgz#a5c6d532be656e23db820efb943a1f04998d63af"