search

billchurch / webssh2

Web SSH Client using ssh2, socket.io, xterm.js, and express. webssh webssh2
MIT License
2.26k stars 527 forks source link

Fix header url param to not render html to resolve XSS #346

Open elongstreet88 opened 8 months ago

elongstreet88 commented 8 months ago

Fixes https://github.com/billchurch/webssh2/issues/345 http://localhost:2222/ssh/host/mydevice.local?header=<img src=x onerror=alert('XSS')>

Before: image

After:

image

Note - This could be breaking if someone is using the header for HTML rendering, however, i would say this is still justified.

sonarcloud[bot] commented 8 months ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information