Headline
CVE-2022-23077: fix(login): catch double-slash exploit · HabitRPG/habitica@5bcfdbe
In habitica versions v4.119.0 through v4.232.2 are vulnerable to DOM XSS via the login page.
Permalink
Browse files
fix(login): catch double-slash exploit
- Loading branch information
SabreCat committed
May 20, 2022
1 parent 980e358 commit 5bcfdbe066e8c899f3ecf3fdcdbacc2ecba7f02f
Showing 1 changed file with 2 additions and 2 deletions.
@@ -757,8 +757,8 @@ export default {
}, 500),
sanitizeRedirect (redirect) {
if (!redirect) return '/’;
let sanitizedString = DOMPurify.sanitize(redirect);
if (sanitizedString.slice(0, 1) !== ‘/’) sanitizedString = `/${sanitizedString}`;
let sanitizedString = DOMPurify.sanitize(redirect).replace(/\\|\/\/|\./g, ‘’);
sanitizedString = `/${sanitizedString}`;
return sanitizedString;
},
async register () {
0 comments on commit 5bcfdbe
Please sign in to comment.