Headline
CVE-2023-32325: fix: Remove API and JS urls (#630) · PostHog/posthog-js@67e07eb
PostHog-js is a library to interface with the PostHog analytics tool. Versions prior to 1.57.2 have the potential for cross-site scripting. Problem has been patched in 1.57.2. Users are advised to upgrade. Users unable to upgrade should ensure that their Content Security Policy is in place.
Expand Up
@@ -78,7 +78,6 @@ describe('Toolbar’, () => {
flag_2: 1,
},
userId: 12345,
apiURL: given.config.api_host,
…given.toolbarParamsOverrides,
}))
Expand All
@@ -92,14 +91,20 @@ describe('Toolbar’, () => {
}))
given.subject()
expect(given.toolbar.loadToolbar).toHaveBeenCalledWith({ …given.toolbarParams, source: ‘url’ })
expect(given.toolbar.loadToolbar).toHaveBeenCalledWith({
…given.toolbarParams,
source: 'url’,
})
})
it('should initialize the toolbar when there are editor params in the session’, () => {
given('storedEditorParams’, () => JSON.stringify(toolbarParams))
given.subject()
expect(given.toolbar.loadToolbar).toHaveBeenCalledWith({ …given.toolbarParams, source: ‘url’ })
expect(given.toolbar.loadToolbar).toHaveBeenCalledWith({
…given.toolbarParams,
source: 'url’,
})
})
it('should NOT initialize the toolbar when the activation query param does not exist’, () => {
Expand Down Expand Up
@@ -152,18 +157,22 @@ describe('Toolbar’, () => {
token: 'public_token’,
expiresAt: 'expiresAt’,
apiKey: 'apiKey’,
apiURL: 'http://localhost:8000’,
jsURL: 'http://localhost:8000’,
}))
it('should persist for next time’, () => {
expect(given.subject()).toBe(true)
expect(JSON.parse(window.localStorage.getItem(‘_postHogToolbarParams’))).toEqual(given.toolbarParams)
expect(JSON.parse(window.localStorage.getItem(‘_postHogToolbarParams’))).toEqual({
…given.toolbarParams,
apiURL: 'http://api.example.com’,
})
})
it('should load if not previously loaded’, () => {
expect(given.subject()).toBe(true)
expect(window.ph_load_toolbar).toHaveBeenCalledWith(given.toolbarParams, given.lib)
expect(window.ph_load_toolbar).toHaveBeenCalledWith(
{ …given.toolbarParams, apiURL: ‘http://api.example.com’ },
given.lib
)
})
it('should NOT load if previously loaded’, () => {
Expand All
@@ -184,7 +193,6 @@ describe('Toolbar’, () => {
expect(window.ph_load_toolbar).toHaveBeenCalledWith(
{
…given.toolbarParams,
jsURL: 'http://api.example.com’,
apiURL: 'http://api.example.com’,
token: 'test_token’,
},
Expand Down
Related news
### Impact Potential for cross-site scripting in `posthog-js`. ### Patches The problem has been patched in `posthog-js` version 1.57.2. ### Workarounds - This isn't an issue for sites that have a Content Security Policy in place. - Using the HTML tracking snippet on PostHog Cloud always guarantees the latest version of the library – in that case no action is required to upgrade to the patched version. ### References We will publish details of the vulnerability in 30 days as per our [security policy](https://posthog.com/handbook/company/security#policies).