search

pacocoursey / next-themes

Perfect Next.js dark mode in 2 lines of code. Support System preference and any other theme with no flashing
https://next-themes-example.vercel.app/
MIT License
5.1k stars 185 forks source link

SXSS via caching - theme= #213

Open poeyer opened 1 year ago

poeyer commented 1 year ago

Critical issue

https://github.com/pacocoursey/next-themes/blob/main/packages/next-themes/src/index.tsx#L83

Example: Append to URL: ?theme=%27-console.log(%27test/%27%2bdocument.domain)-%27 forcedTheme enabled on Provider

Not everybody has CSP enabled so make sure to sanitize the data attribute/class

The value of the "theme" parameter is reflected on the page, this reflection is then stored with the page/cache. So if someone else visits that page (without using any payload) the previously injected javascript will still be returned and execute.

After a while the page/cache will reset and the injection will no longer be returned. If an attacker continuously request the page with injections the page will assumably always respond with the injections though.

poeyer commented 1 year ago

Some notes, if you pass %27-console.log(%27test/%27%2bdocument.domain)-%27 to the forcedTheme, you will store executable JavaScript that can lead to serious issues. May I suggests sanitising the input of forcedTheme?