Squashed commit of the following:

commit ced48c3fcfd1880016b08590e1b50827247b7cfb Author: Arunoda Susiripala <arunoda.susiripala@gmail.com> Date: Wed Jun 7 11:28:43 2017 +0530 Make sure XSS fix doesn't break our 404 support. commit d40c833aa16660d547df785bb52e69ecf9a717f2 Author: Arunoda Susiripala <arunoda.susiripala@gmail.com> Date: Wed Jun 7 09:08:41 2017 +0530 Prevent url path based XSS attacks.
2024-01-19 02:48:18 +00:00 · 2017-06-07 11:37:28 +05:30 · 2017-06-07 11:37:28 +05:30 · 7cd2bb69ea
parent 70da357426
commit 7cd2bb69ea
4 changed files with 28 additions and 2 deletions
--- a/package.json
+++ b/package.json
@ -92,7 +92,8 @@
    "webpack": "2.5.1",
    "webpack-dev-middleware": "1.10.2",
    "webpack-hot-middleware": "2.18.0",
-    "write-file-webpack-plugin": "4.0.2"
+    "write-file-webpack-plugin": "4.0.2",
+    "xss-filters": "1.2.7"
  },
  "devDependencies": {
    "babel-eslint": "7.2.3",
--- a/server/render.js
+++ b/server/render.js
@ -12,6 +12,7 @@ import { loadGetInitialProps } from '../lib/utils'
 import Head, { defaultHead } from '../lib/head'
 import App from '../lib/app'
 import ErrorDebug from '../lib/error-debug'
+import xssFilters from 'xss-filters'

 export async function render (req, res, pathname, query, opts) {
  const html = await renderToHTML(req, res, pathname, opts)
@ -133,6 +134,8 @@ export async function renderScript (req, res, page, opts) {
 export async function renderScriptError (req, res, page, error, customFields, opts) {
  // Asks CDNs and others to not to cache the errored page
  res.setHeader('Cache-Control', 'no-store, must-revalidate')
+  // prevent XSS attacks by filtering the page before printing it.
+  page = xssFilters.uriInSingleQuotedAttr(page)

  if (error.code === 'ENOENT') {
    res.setHeader('Content-Type', 'text/javascript')
--- a/test/integration/production/test/index.test.js
+++ b/test/integration/production/test/index.test.js
@ -6,7 +6,8 @@ import {
  nextBuild,
  startApp,
  stopApp,
-  renderViaHTTP
+  renderViaHTTP,
+  waitFor
 } from 'next-test-utils'
 import webdriver from 'next-webdriver'
 import fetch from 'node-fetch'
@ -59,4 +60,21 @@ describe('Production Usage', () => {
      browser.close()
    })
  })
+
+  describe('With XSS Attacks', () => {
+    it('should prevent URI based attaks', async () => {
+      const browser = await webdriver(appPort, '/\',document.body.innerHTML="HACKED",\'')
+      // Wait 5 secs to make sure we load all the client side JS code
+      await waitFor(5000)
+
+      const bodyText = await browser
+        .elementByCss('body').text()
+
+      if (/HACKED/.test(bodyText)) {
+        throw new Error('Vulnerable to XSS attacks')
+      }
+
+      browser.close()
+    })
+  })
 })
--- a/yarn.lock
+++ b/yarn.lock
@ -5243,6 +5243,10 @@ xml-name-validator@^2.0.1:
  version "2.0.1"
  resolved "https://registry.yarnpkg.com/xml-name-validator/-/xml-name-validator-2.0.1.tgz#4d8b8f1eccd3419aa362061becef515e1e559635"

+xss-filters@^1.2.7:
+  version "1.2.7"
+  resolved "https://registry.yarnpkg.com/xss-filters/-/xss-filters-1.2.7.tgz#59fa1de201f36f2f3470dcac5f58ccc2830b0a9a"
+
 "xtend@>=4.0.0 <4.1.0-0", xtend@^4.0.0, xtend@^4.0.1:
  version "4.0.1"
  resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.1.tgz#a5c6d532be656e23db820efb943a1f04998d63af"