lucaspulliese / next-ecommerce

A beautiful ecommerce made with Next.js
https://next-ecommerce-front.vercel.app/
MIT License
610 stars 231 forks source link

sanitize the review description #41

Open gtsp233 opened 11 months ago

gtsp233 commented 11 months ago

Fix for Cross-Site Scripting (XSS) Vulnerability

I've identified a Cross-Site Scripting (XSS) vulnerability in this application.

Vulnerability Details:

Steps to Reproduce:

  1. In utils/data/products.ts, modify the description of reviews to include the <img src="" onError=alert(1) />
  2. The script will run on every user's webpage

Suggested Fix or Mitigation: Sanitize the review description before rendering it.

I've already fixed and tested this issue, and have submitted a pull request with the necessary changes. Please review and merge my pull request at your earliest convenience to resolve this vulnerability. Thanks!

image
vercel[bot] commented 11 months ago

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
next-ecommerce-front ❌ Failed (Inspect) Dec 2, 2023 10:35pm