Skip to content
This repository was archived by the owner on Apr 18, 2024. It is now read-only.

Commit 8f96319

Browse files
hlomzikhlomzik
authored
fix: LSDV-3861: XSS in error messages (#1419)
* fix: LSDV-3861: Fix XSS in error messages URLs are used directly in error messages about failed resource loading. This allows to simply exploit XSS with short "urls" in data: ```json "data": { "url": "https://></a><img src=# onerror=alert(1) />" } ``` Now all occurencies are escaped. * Fix missed quotes in href parameter --------- Co-authored-by: hlomzik <[email protected]>
1 parent 3c5a48d commit 8f96319

File tree

1 file changed

+7
-6
lines changed

1 file changed

+7
-6
lines changed

src/utils/messages.js

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,8 @@
11
/* eslint-disable react/jsx-no-target-blank */
2-
32
import React from 'react';
43

4+
import { htmlEscape } from './html';
5+
56
const URL_CORS_DOCS = 'https://labelstud.io/guide/storage.html#Troubleshoot-CORS-and-access-problems';
67
const URL_TAGS_DOCS = 'https://labelstud.io/tags';
78

@@ -57,7 +58,7 @@ export default {
5758
<div data-testid="error:audio">
5859
<p>Error while loading audio. Check <code>{attr}</code> field in task.</p>
5960
<p>Technical description: {error}</p>
60-
<p>URL: {url}</p>
61+
<p>URL: {htmlEscape(url)}</p>
6162
</div>
6263
);
6364
},
@@ -70,7 +71,7 @@ export default {
7071
The request parameters are invalid.
7172
If you are using S3, make sure you’ve specified the right bucket region name.
7273
</p>
73-
<p>URL: <code><a href=${url} target="_blank">${url}</a></code></p>
74+
<p>URL: <code><a href="${encodeURI(url)}" target="_blank">${htmlEscape(url)}</a></code></p>
7475
</div>`;
7576
},
7677

@@ -80,7 +81,7 @@ export default {
8081
<p>
8182
There was an issue loading URL from <code>${attr}</code> value.
8283
Most likely that's because static server has wide-open CORS.
83-
<a href=${this.URL_CORS_DOCS} target="_blank">Read more on that here.</a>
84+
<a href="${this.URL_CORS_DOCS}" target="_blank">Read more on that here.</a>
8485
</p>
8586
<p>
8687
Also check that:
@@ -89,7 +90,7 @@ export default {
8990
<li>Network is reachable</li>
9091
</ul>
9192
</p>
92-
<p>URL: <code><a href=${url} target="_blank">${url}</a></code></p>
93+
<p>URL: <code><a href="${encodeURI(url)}" target="_blank">${htmlEscape(url)}</a></code></p>
9394
</div>`;
9495
},
9596

@@ -113,7 +114,7 @@ export default {
113114
<p>
114115
Technical description: <code>${error}</code>
115116
<br />
116-
URL: <code><a href=${url} target="_blank">${url}</a></code>
117+
URL: <code><a href="${encodeURI(url)}" target="_blank">${htmlEscape(url)}</a></code>
117118
</p>
118119
</div>`;
119120
},

0 commit comments

Comments
 (0)