OSSForks/express
1
0
Fork 0
mirror of https://github.com/zebrajr/express.git synced 2025-12-06 00:19:48 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: don't render redirect values in anchor href

Browse Source 
Co-authored-by: Ulises Gascón <ulisesgascongonzalez@gmail.com>
This commit is contained in:
Chris de Almeida 2024-09-09 17:16:58 -05:00 committed by Ulises Gascón
parent 125bb742a3
commit 54271f69b5
No known key found for this signature in database
GPG Key ID: 04CD3F2FDE079578
2 changed files with 22 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/response.js
View File

@ -969,7 +969,7 @@ res.redirect = function redirect(url) {
html: function(){
var u = escapeHtml(address);
body = '<p>' + statuses.message[status] + '. Redirecting to <a href="' + u + '">' + u + '</a></p>'
body = '<p>' + statuses.message[status] + '. Redirecting to ' + u + '</p>'
},
default: function(){

24
test/res.redirect.js
View File

@ -106,7 +106,7 @@ describe('res', function(){
.set('Accept', 'text/html')
.expect('Content-Type', /html/)
.expect('Location', 'http://google.com')
.expect(302, '<p>Found. Redirecting to <a href="http://google.com">http://google.com</a></p>', done)
.expect(302, '<p>Found. Redirecting to http://google.com</p>', done)
})
it('should escape the url', function(done){
@ -122,9 +122,27 @@ describe('res', function(){
.set('Accept', 'text/html')
.expect('Content-Type', /html/)
.expect('Location', '%3Cla\'me%3E')
.expect(302, '<p>Found. Redirecting to <a href="%3Cla&#39;me%3E">%3Cla&#39;me%3E</a></p>', done)
.expect(302, '<p>Found. Redirecting to %3Cla&#39;me%3E</p>', done)
})
it('should not render evil javascript links in anchor href (prevent XSS)', function(done){
var app = express();
var xss = 'javascript:eval(document.body.innerHTML=`<p>XSS</p>`);';
var encodedXss = 'javascript:eval(document.body.innerHTML=%60%3Cp%3EXSS%3C/p%3E%60);';
app.use(function(req, res){
res.redirect(xss);
});
request(app)
.get('/')
.set('Host', 'http://example.com')
.set('Accept', 'text/html')
.expect('Content-Type', /html/)
.expect('Location', encodedXss)
.expect(302, '<p>Found. Redirecting to ' + encodedXss +'</p>', done);
});
it('should include the redirect type', function(done){
var app = express();
@ -137,7 +155,7 @@ describe('res', function(){
.set('Accept', 'text/html')
.expect('Content-Type', /html/)
.expect('Location', 'http://google.com')
.expect(301, '<p>Moved Permanently. Redirecting to <a href="http://google.com">http://google.com</a></p>', done);
.expect(301, '<p>Moved Permanently. Redirecting to http://google.com</p>', done);
})
})