Closed Ray0907 closed 3 months ago
The latest updates on your projects. Learn more about Vercel for Git ↗︎
Name | Status | Preview | Comments | Updated (UTC) |
---|---|---|---|---|
nuxt-security | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | Mar 12, 2024 2:53pm |
Hey @Ray0907
Thanks for this PR! I will review it in the upcoming days (quite budy days recently)
@Baroshem I'm considering an alternative approach. If I use h3 readMultipartFormData and parse the FormData similar to reading the response body, and only check if the FormData is valid, would that be effective? Because as far as I understand, the XSS validator only checks text. Am I correct? If this approach works, perhaps I'll rewrite the feature
Hey @Ray0907
That sounds like an interesting idea. Have you tried how it behaves if a user passes a malicious code in the params?
Like
http/localhost:3000?user=<script>
If it does not break or handles this case properly (it should be validated by XSS as issue and return 400 error) I think we could try this approach :)
Types of changes
Description
The original version doesn't support FormData, resulting in blocking all FormData requests. This pull request adds a feature to enhance FormData support. Fix #400
Checklist: