Closed RedYetiDev closed 4 months ago
Even with this, I still believe the best way to resolve this permanently is to use URL
:
let url = new URL(name, location.href)
url.origin === location.origin
Dear @lsegal, I apologize for the oversight regarding your library's XSS and Open-Redirect vulnerabilities. I acknowledge and accept full responsibility for this lapse in judgment. It was a regrettable mistake, and I deeply regret any inconvenience or concern it may have caused. My failure to patch these vulnerabilities thoroughly may have ended your trust in me. I understand the gravity of this situation and the impact it may have had on our professional relationship. Please know that I am genuinely remorseful and committed to rectifying the situation to the best of my abilities. In light of this, I have taken steps to address the vulnerabilities and have provided a suggested pull request (PR) for your consideration. Given the circumstances, I understand if you consider this suggestion with caution, and I respect your decision either way. Moving forward, I am dedicated to implementing more rigorous testing protocols to prevent such oversights in the future. Once again, I extend my deepest apologies for any inconvenience or disappointment caused. I am available to talk about this more whenever you get a chance and to collaborate on any necessary steps to ensure the security and integrity of your library. Thank you for your understanding and patience.
I like your idea, I'm gonna squash and reopen a pull-request.
Description
Yikes! I'm so embarrassed. My patch fails to resolve the XSS/Open-Redirect vulnerability. This second patch will fix it, and I've done much testing to confirm it. Please understand my mistake and implement this into the repository.
Proof-Of Concept
See the following pen for an example: https://codepen.io/Aviv-Keller/pen/mdgdmyW
#!:javascript:alert("XSS")
Completed Tasks
bundle exec rake
locally (if code is attached to PR).