Open JennaySDavis opened 6 months ago
#464 Acceptance Criteria
Pass/Fail | Description |
---|---|
Pass | Smoke Testing of Training app. |
Comments/Additional Notes Performance score will increase when https://github.com/orgs/GSA/projects/43/views/1?pane=issue&itemId=46203471 is completed.
ADA Compliance (Automated scan via Chrome Lighthouse) | Criteria | Score |
---|---|---|
Performance | 96 | |
Accessibility | 100 | |
Best Practices | 100 |
Passed 02/2/2024 - JSD
Thank you! Approved with the understanding that #455 will increase score. Moving to done!
Summary When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml.
Impact Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker.
Patches Fixed in vite@5.0.5, vite@4.5.1, vite@4.4.12