mirror of
https://github.com/terribleplan/next.js.git
synced 2024-01-19 02:48:18 +00:00
Squashed commit of the following:
commit ced48c3fcfd1880016b08590e1b50827247b7cfb Author: Arunoda Susiripala <arunoda.susiripala@gmail.com> Date: Wed Jun 7 11:28:43 2017 +0530 Make sure XSS fix doesn't break our 404 support. commit d40c833aa16660d547df785bb52e69ecf9a717f2 Author: Arunoda Susiripala <arunoda.susiripala@gmail.com> Date: Wed Jun 7 09:08:41 2017 +0530 Prevent url path based XSS attacks.
This commit is contained in:
parent
70da357426
commit
7cd2bb69ea
|
@ -92,7 +92,8 @@
|
|||
"webpack": "2.5.1",
|
||||
"webpack-dev-middleware": "1.10.2",
|
||||
"webpack-hot-middleware": "2.18.0",
|
||||
"write-file-webpack-plugin": "4.0.2"
|
||||
"write-file-webpack-plugin": "4.0.2",
|
||||
"xss-filters": "1.2.7"
|
||||
},
|
||||
"devDependencies": {
|
||||
"babel-eslint": "7.2.3",
|
||||
|
|
|
@ -12,6 +12,7 @@ import { loadGetInitialProps } from '../lib/utils'
|
|||
import Head, { defaultHead } from '../lib/head'
|
||||
import App from '../lib/app'
|
||||
import ErrorDebug from '../lib/error-debug'
|
||||
import xssFilters from 'xss-filters'
|
||||
|
||||
export async function render (req, res, pathname, query, opts) {
|
||||
const html = await renderToHTML(req, res, pathname, opts)
|
||||
|
@ -133,6 +134,8 @@ export async function renderScript (req, res, page, opts) {
|
|||
export async function renderScriptError (req, res, page, error, customFields, opts) {
|
||||
// Asks CDNs and others to not to cache the errored page
|
||||
res.setHeader('Cache-Control', 'no-store, must-revalidate')
|
||||
// prevent XSS attacks by filtering the page before printing it.
|
||||
page = xssFilters.uriInSingleQuotedAttr(page)
|
||||
|
||||
if (error.code === 'ENOENT') {
|
||||
res.setHeader('Content-Type', 'text/javascript')
|
||||
|
|
|
@ -6,7 +6,8 @@ import {
|
|||
nextBuild,
|
||||
startApp,
|
||||
stopApp,
|
||||
renderViaHTTP
|
||||
renderViaHTTP,
|
||||
waitFor
|
||||
} from 'next-test-utils'
|
||||
import webdriver from 'next-webdriver'
|
||||
import fetch from 'node-fetch'
|
||||
|
@ -59,4 +60,21 @@ describe('Production Usage', () => {
|
|||
browser.close()
|
||||
})
|
||||
})
|
||||
|
||||
describe('With XSS Attacks', () => {
|
||||
it('should prevent URI based attaks', async () => {
|
||||
const browser = await webdriver(appPort, '/\',document.body.innerHTML="HACKED",\'')
|
||||
// Wait 5 secs to make sure we load all the client side JS code
|
||||
await waitFor(5000)
|
||||
|
||||
const bodyText = await browser
|
||||
.elementByCss('body').text()
|
||||
|
||||
if (/HACKED/.test(bodyText)) {
|
||||
throw new Error('Vulnerable to XSS attacks')
|
||||
}
|
||||
|
||||
browser.close()
|
||||
})
|
||||
})
|
||||
})
|
||||
|
|
|
@ -5243,6 +5243,10 @@ xml-name-validator@^2.0.1:
|
|||
version "2.0.1"
|
||||
resolved "https://registry.yarnpkg.com/xml-name-validator/-/xml-name-validator-2.0.1.tgz#4d8b8f1eccd3419aa362061becef515e1e559635"
|
||||
|
||||
xss-filters@^1.2.7:
|
||||
version "1.2.7"
|
||||
resolved "https://registry.yarnpkg.com/xss-filters/-/xss-filters-1.2.7.tgz#59fa1de201f36f2f3470dcac5f58ccc2830b0a9a"
|
||||
|
||||
"xtend@>=4.0.0 <4.1.0-0", xtend@^4.0.0, xtend@^4.0.1:
|
||||
version "4.0.1"
|
||||
resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.1.tgz#a5c6d532be656e23db820efb943a1f04998d63af"
|
||||
|
|
Loading…
Reference in a new issue