search

ethanniser / the-beth-stack

An opinionated hypermedia-driven architecture for building web apps
MIT License
848 stars 81 forks source link

XSS #9

Closed TAnas0 closed 1 year ago

TAnas0 commented 1 year ago

First, nice app, enjoyed it as my introduction to the BETH stack, as well as your video.

Second, just starting a discussion about a vulnerability on the app: when inputing a JS script (e.g. `) it gets executed. Is there some remediation to that? How is it done on the BETH stack?

ethanniser commented 1 year ago

Yes I am aware this is an issue. It is an actively being addressed, check out the updates to @elysia/html.

I'm working on a follow up to the original video with the updated tech, so I will leave this open till then.

arjunindia commented 1 year ago

You can use the safe attribute on elements so that the children does not render the HTML in @elysia/html I believe

ethanniser commented 1 year ago

this is addressed by the safe attribute also check out the kitajs tsplugin

idk why this issue got spammed as well very weird