respond-proxy.html has XSS issue

Question

respond-proxy.html has XSS issue

zmmbreeze opened this issue 9 years ago · 5 comments

zmmbreeze commented 9 years ago

For example: http://yourcdn.com/respond-proxy.html?url=javascript:alert(19890611520);&css=http://yourcdn.com/test.css

Code: https://github.com/scottjehl/Respond/blob/master/cross-domain/respond-proxy.html#L90

Answer 1 · 2016-06-13T09:34:24.000Z

Confirmed.

Answer 2 · 2016-06-23T18:04:35.000Z

@scottjehl any update on this?

Answer 3 · 2016-06-23T19:16:25.000Z

So, deprecating the cross-domain proxy is definitely the first thing I'd like to do. A server proxy, while annoying, is likely the better way to handle this situation. I hope you agree.

The proxy has been deprecated in the readme since October, so I think a new point release should remove it.

Answer 4 · 2018-04-17T13:53:52.000Z

I added the following in respond-proxy.html#L87 in order to have a minimal protection.

// XSS protection
if(domain.toLowerCase().indexOf('javascript') !== -1) {
    domain = null;
}

Not sure if it is possible to pass through.

Answer 5 · 2018-04-17T13:59:50.000Z

Can we not do whitelisting, i.e. only accept URLs starting with http:// and https://?