Merge commit from fork

* escape URL to avoid arbitrary code execution

* add pytest

Author: falkoschindler

nicegui/functions/navigate.py

@@ -1,7 +1,7 @@
 from typing import Any, Callable, Union
 from urllib.parse import urlparse
 
-from .. import background_tasks
+from .. import background_tasks, json
 from ..client import Client
 from ..context import context
 from ..element import Element
@@ -89,7 +89,7 @@ def push(self, url: str) -> None:
 
         :param url: relative or absolute URL
         """
-        run_javascript(f'history.pushState({{}}, "", "{url}");')
+        run_javascript(f'history.pushState({{}}, "", {json.dumps(url)});')
 
     def replace(self, url: str) -> None:
         """Replace the current URL in the browser history.
@@ -100,7 +100,7 @@ def replace(self, url: str) -> None:
 
         :param url: relative or absolute URL
         """
-        run_javascript(f'history.replaceState({{}}, "", "{url}");')
+        run_javascript(f'history.replaceState({{}}, "", {json.dumps(url)});')
 
 
 navigate = Navigate()

tests/test_navigate.py

@@ -77,3 +77,14 @@ def page():
     screen.click('Send mail')
     screen.wait(0.5)
     assert screen.selenium.execute_script('return window.__open_calls') == [['mailto:test@example.com', '_self']]
+
+
+def test_xss_via_history_push(screen: Screen):
+    @ui.page('/')
+    def page():
+        ui.button('Push', on_click=lambda: ui.navigate.history.push('/");console.log("XSS");//'))
+
+    screen.open('/')
+    screen.click('Push')
+    screen.wait(1)
+    assert 'XSS' not in screen.render_js_logs()