Open gtsp233 opened 6 months ago
Latest commit: eaba7f6321ce3ae277f4ad2576bc9829e38b4248
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
Fix for Cross-Site Scripting (XSS) Vulnerability
I've identified a Cross-Site Scripting (XSS) vulnerability in this package.
Vulnerability Details:
Steps to Reproduce: In a React.js project:
Then the malicious code alert(1) will be executed.
Suggested Fix or Mitigation: It is best practice for a React.js component package to sanitize the URL before passing it to window.location.assign. React.js and many popular libraries such as react-router-dom and Next.js also ensure URL safety to prevent XSS. For instance, React.js issues warnings about URLs starting with javascript: and is planning to block these in future versions, as indicated in this pull request.
Using a whitelist to filter the "editor" props is also suggested.
I've already fixed and tested this issue, and have submitted a pull request with the necessary changes. Please review and merge my pull request to resolve this vulnerability. Thanks!