Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add escapeHtml option to XssValidator #377

Merged
merged 1 commit into from
Feb 19, 2024
Merged

feat: add escapeHtml option to XssValidator #377

merged 1 commit into from
Feb 19, 2024

Conversation

Morgbn
Copy link
Contributor

@Morgbn Morgbn commented Feb 15, 2024

resolves #206

Types of changes

  • Bug fix (a non-breaking change which fixes an issue)
  • New feature (a non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Description

js-xss has escapeHtmloption, by default < is replaced by &lt; and > by &gt;
This pull request allows dev to easily disable this feature

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes (if not applicable, please state why)

To test

Before this fail:

fetch('/api/test', { method: 'POST', body: JSON.stringify({ value: "ok ->" }), headers: { 'Content-Type': 'application/json' } })

Now, if xssValidator.escapeHtml is set to false it works

@vercel Vercel
Copy link

vercel bot commented Feb 15, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
nuxt-security ✅ Ready (Inspect) Visit Preview 💬 Add feedback Feb 15, 2024 0:46am

@Baroshem
Copy link
Owner

Hey @Morgbn

Great to have you here! Thanks for the pull request.

I will review it in upcoming days :)

Baroshem
Baroshem reviewed Feb 16, 2024
View reviewed changes
Copy link
Owner

@Baroshem Baroshem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One question as I am not sure

src/runtime/server/middleware/xssValidator.ts
import { defineEventHandler, createError, getQuery, readBody, getRouteRules } from '#imports'

export default defineEventHandler(async (event) => {
const { security } = getRouteRules(event)

if (security?.xssValidator) {
const xssValidator = new FilterXSS(security.xssValidator)
const filterOpt: IFilterXSSOptions = { ...security.xssValidator, escapeHtml: undefined }
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: What if user passes escapeHtml in xssValidator? Wouldn't this line overwrite it automatically to undefined?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @Baroshem !
Yes, it removes escapeHtml: boolean that not compatible with escapeHtml?: EscapeHandler (def)
If security.xssValidator.escapeHtml is false, the escapeHtml is set as a function that returns its input directly (which doesn't escapes ">" & "<")
if it's true or undefined, the default function will be used by js-xss (which escapes ">" & "<")

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, makes sense!

Thanks for clarification :)

@Baroshem Baroshem changed the base branch from main to chore/1.2.0 February 19, 2024 12:52
@Baroshem Baroshem merged commit fcd28dd into Baroshem:chore/1.2.0 Feb 19, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Baroshem Baroshem Baroshem left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Xss validator not allowing having < and > characters in request body
2 participants
@Morgbn @Baroshem