search

braintree / sanitize-url

MIT License
307 stars 35 forks source link

fix: don't allow script tags in url path #72

Closed ad1992 closed 2 months ago

ad1992 commented 3 months ago

Currently, it doesn't sanitize the URL by removing script tags which can lead to XSS as well (eg in cases where content loaded from an external URL in iframe) hence I have created this PR to fix the same

Prev

sanitizeUrl("https://example.com/path/to<script>alert('XSS')</script>") => https://example.com/path/to<script>alert('XSS')</script>

Now

sanitizeUrl("https://example.com/path/to<script>alert('XSS')</script>") => https://example.com/path/toalert('XSS')</script>
jplukarski commented 2 months ago

@ad1992 , thank you for taking the time to submit this PR. However, this library is meant for sanitizing a URLs before they get injected into the DOM as part of a link or button, not for HTML or general XSS sanitization.

Please see issue #14 and #5 .

We recommend forking the repo if you need these changes added to this library. Thanks!