From 114ce1bfc321a53f16fb67e11ecefe983d0e6d99 Mon Sep 17 00:00:00 2001 From: Seamus Abshere Date: Sat, 23 May 2020 12:17:08 -0400 Subject: [PATCH 1/3] Prevent XSS attack using /auth/enable_cookies https://example.com/shopify/auth/enable_cookies?shop=%27%22%3C/title%3E%3C/style%3E%3C/textarea%3E%3C/noscript%3E%3C/script%3E--%3E%3Cdtfy%3E%3Cscript%3Ealert(%27hello%20world%27)%3C/script%3E Thanks to @nhusher --- .../koa-shopify-auth/src/auth/client/top-level-interaction.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/koa-shopify-auth/src/auth/client/top-level-interaction.ts b/packages/koa-shopify-auth/src/auth/client/top-level-interaction.ts index 0da2925d8d..8505b89d3f 100644 --- a/packages/koa-shopify-auth/src/auth/client/top-level-interaction.ts +++ b/packages/koa-shopify-auth/src/auth/client/top-level-interaction.ts @@ -3,7 +3,7 @@ const topLevelInteraction = (shop: string, prefix = '') => { return `(function() { function setUpTopLevelInteraction() { var TopLevelInteraction = new ITPHelper({ - redirectUrl: "${prefix}/auth?shop=${shop}", + redirectUrl: "${prefix}/auth?shop=${encodeURIComponent(shop)}", }); TopLevelInteraction.execute(); From 4b7179e02196ba0dd5ca3e0d192cd58009ba6862 Mon Sep 17 00:00:00 2001 From: Seamus Abshere Date: Sat, 23 May 2020 14:37:52 -0400 Subject: [PATCH 2/3] 2 more spots --- packages/koa-shopify-auth/src/auth/create-enable-cookies.ts | 2 +- .../koa-shopify-auth/src/auth/create-request-storage-access.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/koa-shopify-auth/src/auth/create-enable-cookies.ts b/packages/koa-shopify-auth/src/auth/create-enable-cookies.ts index abd27457e4..8d647c8669 100644 --- a/packages/koa-shopify-auth/src/auth/create-enable-cookies.ts +++ b/packages/koa-shopify-auth/src/auth/create-enable-cookies.ts @@ -40,7 +40,7 @@ export default function createEnableCookies({