Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: fix XSS for malicious URLs #114

Closed
McShelby opened this issue Oct 8, 2021 · 0 comments
Closed

security: fix XSS for malicious URLs #114

McShelby opened this issue Oct 8, 2021 · 0 comments
Assignees
@McShelby
Labels
bug Something isn't working
Milestone
2.5.0

Comments

@McShelby
Copy link
Owner

McShelby commented Oct 8, 2021

To reproduce this, the site must be served by a "real" webserver. With hugo server this issue is not reproducable.

If you have nodejs installed, you can reproduce it by generating your site with hugo and afterwards serving the content of your build with npx serve

If you load the URL http://localhost:5000/asdf'onmouseover='alert(origin)'/%2f../ in your browser, a hover over a headings copy-to-clipboard icon will open a message box.

Thanks to @andrucha97 for pointing this out.
@McShelby McShelby added the bug Something isn't working label Oct 8, 2021
@McShelby McShelby added this to the 2.5.0 milestone Oct 8, 2021
@McShelby McShelby self-assigned this Oct 8, 2021
McShelby added a commit that referenced this issue Oct 8, 2021
@McShelby
security: fix XSS for malicioius URLs #114
2117fef
@McShelby McShelby closed this as completed Oct 8, 2021
@McShelby McShelby mentioned this issue Oct 12, 2021
Closed
@McShelby McShelby changed the title security: fix XSS for malicioius URLs security: fix XSS for malicious URLs Apr 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@McShelby McShelby

Labels
bug Something isn't working
Projects
None yet
Milestone
2.5.0
Development

No branches or pull requests
1 participant
@McShelby