[BUG] rax-document 有 xss 注入风险

alibaba / rax

🐰 Rax is a progressive framework for building universal application. https://rax.js.org

Other

7.99k stars 627 forks source link

[BUG] rax-document 有 xss 注入风险 #2272

Closed fengzilong closed 2 years ago

fengzilong commented 2 years ago

Describe the bug

在 SSR 场景，rax-document 中的 <Data /> 组件，假如 __initialData 包含 </script>，可以提前结束 script 标签，然后注入自己的脚本逻辑

<script data-from="server">
window.__INITIAL_DATA__= {
  __SSR_ENABLED__: true,
  pageInitialProps: {"nickname":"</script><script>alert('1')</script>"}
}
</script>

上述代码在浏览器中执行会出现 alert 1

Expected behavior

在框架层面解决 xss 问题

PR：#2273

fengzilong commented 2 years ago

closed via https://github.com/raxjs/rax-app/pull/857