lsegal / yard

YARD is a Ruby Documentation tool. The Y stands for "Yay!"

http://yardoc.org

MIT License

1.92k stars 394 forks source link

Closed alextwoods closed 4 months ago

alextwoods commented 4 months ago

Description

Don't update the window location in frames.erb when the input contains javascript.

[x] I have read the Contributing Guide.
[x] The pull request is complete (implemented / written).
[x] Git commits have been cleaned up (squash WIP / revert commits).
[x] I wrote tests and ran bundle exec rake locally (if code is attached to PR).

RedYetiDev commented 4 months ago

Hi! This pull request won't resolve the issue. XSS will still be possible with data: URLs

alextwoods commented 4 months ago

Good point - I hadn't considered data: since I thought most modern browsers block them in the top frame, but should likely be handled as well.

RedYetiDev commented 4 months ago

I actually currently have an advisory open to resolve this issue, if you'd like I can show you my proposed patch