1
0
Fork 0
mirror of https://github.com/terribleplan/next.js.git synced 2024-01-19 02:48:18 +00:00

Squashed commit of the following:

commit ced48c3fcfd1880016b08590e1b50827247b7cfb
Author: Arunoda Susiripala <arunoda.susiripala@gmail.com>
Date:   Wed Jun 7 11:28:43 2017 +0530

    Make sure XSS fix doesn't break our 404 support.

commit d40c833aa16660d547df785bb52e69ecf9a717f2
Author: Arunoda Susiripala <arunoda.susiripala@gmail.com>
Date:   Wed Jun 7 09:08:41 2017 +0530

    Prevent url path based XSS attacks.
This commit is contained in:
Arunoda Susiripala 2017-06-07 11:37:28 +05:30
parent 70da357426
commit 7cd2bb69ea
4 changed files with 28 additions and 2 deletions

View file

@ -92,7 +92,8 @@
"webpack": "2.5.1",
"webpack-dev-middleware": "1.10.2",
"webpack-hot-middleware": "2.18.0",
"write-file-webpack-plugin": "4.0.2"
"write-file-webpack-plugin": "4.0.2",
"xss-filters": "1.2.7"
},
"devDependencies": {
"babel-eslint": "7.2.3",

View file

@ -12,6 +12,7 @@ import { loadGetInitialProps } from '../lib/utils'
import Head, { defaultHead } from '../lib/head'
import App from '../lib/app'
import ErrorDebug from '../lib/error-debug'
import xssFilters from 'xss-filters'
export async function render (req, res, pathname, query, opts) {
const html = await renderToHTML(req, res, pathname, opts)
@ -133,6 +134,8 @@ export async function renderScript (req, res, page, opts) {
export async function renderScriptError (req, res, page, error, customFields, opts) {
// Asks CDNs and others to not to cache the errored page
res.setHeader('Cache-Control', 'no-store, must-revalidate')
// prevent XSS attacks by filtering the page before printing it.
page = xssFilters.uriInSingleQuotedAttr(page)
if (error.code === 'ENOENT') {
res.setHeader('Content-Type', 'text/javascript')

View file

@ -6,7 +6,8 @@ import {
nextBuild,
startApp,
stopApp,
renderViaHTTP
renderViaHTTP,
waitFor
} from 'next-test-utils'
import webdriver from 'next-webdriver'
import fetch from 'node-fetch'
@ -59,4 +60,21 @@ describe('Production Usage', () => {
browser.close()
})
})
describe('With XSS Attacks', () => {
it('should prevent URI based attaks', async () => {
const browser = await webdriver(appPort, '/\',document.body.innerHTML="HACKED",\'')
// Wait 5 secs to make sure we load all the client side JS code
await waitFor(5000)
const bodyText = await browser
.elementByCss('body').text()
if (/HACKED/.test(bodyText)) {
throw new Error('Vulnerable to XSS attacks')
}
browser.close()
})
})
})

View file

@ -5243,6 +5243,10 @@ xml-name-validator@^2.0.1:
version "2.0.1"
resolved "https://registry.yarnpkg.com/xml-name-validator/-/xml-name-validator-2.0.1.tgz#4d8b8f1eccd3419aa362061becef515e1e559635"
xss-filters@^1.2.7:
version "1.2.7"
resolved "https://registry.yarnpkg.com/xss-filters/-/xss-filters-1.2.7.tgz#59fa1de201f36f2f3470dcac5f58ccc2830b0a9a"
"xtend@>=4.0.0 <4.1.0-0", xtend@^4.0.0, xtend@^4.0.1:
version "4.0.1"
resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.1.tgz#a5c6d532be656e23db820efb943a1f04998d63af"