XSS in bounty.url
Closed this issue · 8 comments
The bounty URL can be set to an arbitrary string, and then it is passed to link_to here: https://github.com/excid3/beginnerbounties.com/blob/main/app/views/bounties/_bounty.html.erb#L18
Since link_to accepts any URL schema, a malicious actor can set this to javascript: console.log('xss')
and execute an XSS attack, which can have serious consequencies
Ah yes, I always forget that. Easiest way to handle that is something like this right?
<%= sanitize link_to("View Project", @bounty.url %>
I created a test bounty for this, but I can't delete it 🤦♂️ Can someone delete that please?
I don't think that sanitize would work. The best way to handle is to add a validation rule to only permit http
or https
at the beginning of the string.
Pretty sure that's what I've done in the past, because it will sanitize the anchor tag. It's probably simpler to validate the URL format though like you mentioned, otherwise would print out the escaped JS string which we don't want.
You are right, I just checked the docs: https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize
TIL :)
Validation is also better because you do it at one place, and the issue is fixed everywhere, you don't need to worry about forgetting to handle it anywhere when you render a link.
@gregmolnar you can delete your post now btw. We added the delete button back.
Deleted. Thanks!