Closed gtsp233 closed 5 months ago
I've identified two Cross-Site Scripting (XSS) vulnerabilities in this package.
Vulnerability Details:
Steps to Reproduce: In a React.js project:
import { PlaceholderEmbed, LinkedInEmbed } from 'react-social-media-embed' <> <PlaceholderEmbed url={`javascript:alert(1)`} /> <LinkedInEmbed url={`javascript:alert(1)`} /> </ >
Then the malicious code alert(1) will be executed.
Suggested Fix or Mitigation: It is best practice for a React.js components package to sanitize the href attribute before passing it to an tag. React.js itself, along with many popular libraries such as react-router-dom and Next.js, also ensures the safety of href attributes. For instance, React.js issues warnings about URLs starting with javascript: and is planning to block these in future versions, as indicated in this pull request.
I've already fixed and tested this issue, and have submitted a pull request with the necessary changes. Please review and merge my pull request at your earliest convenience to resolve this vulnerability. Thanks!
Thanks for the PR and for bringing this to my attention! Will address this soon
Closes https://github.com/justinmahar/react-social-media-embed/issues/71
Fix for Cross-Site Scripting (XSS) Vulnerability
I've identified two Cross-Site Scripting (XSS) vulnerabilities in this package.
Vulnerability Details:
Steps to Reproduce: In a React.js project:
Then the malicious code alert(1) will be executed.
Suggested Fix or Mitigation: It is best practice for a React.js components package to sanitize the href attribute before passing it to an tag. React.js itself, along with many popular libraries such as react-router-dom and Next.js, also ensures the safety of href attributes. For instance, React.js issues warnings about URLs starting with javascript: and is planning to block these in future versions, as indicated in this pull request.
I've already fixed and tested this issue, and have submitted a pull request with the necessary changes. Please review and merge my pull request at your earliest convenience to resolve this vulnerability. Thanks!