Headline
CVE-2022-24717: fix: Fix XSS vulnerability by bcldvd · Pull Request #2 · Finastra/ssr-pages
ssr-pages is an HTML page builder for the purpose of server-side rendering (SSR). In versions prior to 0.1.5, a cross site scripting (XSS) issue can occur when providing untrusted input to the redirect.link property as an argument to the build(MessagePageOptions) function. While there is no known workaround at this time, there is a patch in version 0.1.5.
@@ -3,6 +3,7 @@ import * as handlebars from 'handlebars’;
import { join } from 'path’;
import background from './helpers/background.helper’;
import inlineSVG from './helpers/inlineSVG.helper’;
import { stringEncode } from './helpers/string-encoder.helper’;
import { MessagePageOptions } from './ssr-pages.interface’;
export class SSRPages {
@@ -25,6 +26,7 @@ export class SSRPages {
}
build(msgPageOpts: MessagePageOptions) {
msgPageOpts.redirect.link = stringEncode(msgPageOpts.redirect.link);
return this.templateMessagePage(msgPageOpts);
}
}