Headline
CVE-2023-3672: XSS mitigation · PlaidWeb/webmention.js@3551b66
Cross-site Scripting (XSS) - DOM in GitHub repository plaidweb/webmention.js prior to 0.5.5.
Expand Up
@@ -188,10 +188,12 @@ A more detailed example:
* @returns {string}
*/
function entities(text) {
return text.replace(/&/g, “&”)
.replace(/</g, “<”)
.replace(/>/g, “>”)
.replace(/"/g, “"”);
return text.replace(/[&<>"]/g, (tag) => ({
'&’: '&’,
'<’: '<’,
'>’: '>’,
'"’: '"’,
}[tag] || tag));
}
/**
Expand Down Expand Up
@@ -327,7 +329,7 @@ A more detailed example:
let linktext = `(${t(“mention”)})`;
if (c.name) {
linkclass = "name";
linktext = c.name;
linktext = entities(c.name);
} else if (c.content && c.content.text) {
linkclass = "text";
linktext = extractComment©;
Expand Down
Related news
GHSA-r54g-4qq6-chxg: webmention.js Cross-site Scripting vulnerability
webmention.js prior to 0.5.5 is vulnerable to cross-site scripting.