Example:
Append to URL: ?theme=%27-console.log(%27test/%27%2bdocument.domain)-%27
forcedTheme enabled on Provider
Not everybody has CSP enabled so make sure to sanitize the data attribute/class
The value of the "theme" parameter is reflected on the page, this reflection is then stored with the page/cache. So if someone else visits that page (without using any payload) the previously injected javascript will still be returned and execute.
After a while the page/cache will reset and the injection will no longer be returned. If an attacker continuously request the page with injections the page will assumably always respond with the injections though.
Some notes, if you pass %27-console.log(%27test/%27%2bdocument.domain)-%27 to the forcedTheme, you will store executable JavaScript that can lead to serious issues. May I suggests sanitising the input of forcedTheme?
Critical issue
https://github.com/pacocoursey/next-themes/blob/main/packages/next-themes/src/index.tsx#L83
Example: Append to URL: ?theme=%27-console.log(%27test/%27%2bdocument.domain)-%27 forcedTheme enabled on Provider
Not everybody has CSP enabled so make sure to sanitize the data attribute/class
The value of the "theme" parameter is reflected on the page, this reflection is then stored with the page/cache. So if someone else visits that page (without using any payload) the previously injected javascript will still be returned and execute.
After a while the page/cache will reset and the injection will no longer be returned. If an attacker continuously request the page with injections the page will assumably always respond with the injections though.