Skip to content

Commit

Permalink
fix: don't render redirect values in anchor href
Browse files Browse the repository at this point in the history
Co-authored-by: Ulises Gascón <ulisesgascongonzalez@gmail.com>
  • Loading branch information
ctcpip and UlisesGascon committed Sep 10, 2024
1 parent 125bb74 commit 54271f6
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 4 deletions.
2 changes: 1 addition & 1 deletion lib/response.js
Original file line number Diff line number Diff line change
Expand Up @@ -969,7 +969,7 @@ res.redirect = function redirect(url) {

html: function(){
var u = escapeHtml(address);
body = '<p>' + statuses.message[status] + '. Redirecting to <a href="' + u + '">' + u + '</a></p>'
body = '<p>' + statuses.message[status] + '. Redirecting to ' + u + '</p>'
},

default: function(){
Expand Down
24 changes: 21 additions & 3 deletions test/res.redirect.js
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ describe('res', function(){
.set('Accept', 'text/html')
.expect('Content-Type', /html/)
.expect('Location', 'http://google.com')
.expect(302, '<p>Found. Redirecting to <a href="http://google.com">http://google.com</a></p>', done)
.expect(302, '<p>Found. Redirecting to http://google.com</p>', done)
})

it('should escape the url', function(done){
Expand All @@ -122,9 +122,27 @@ describe('res', function(){
.set('Accept', 'text/html')
.expect('Content-Type', /html/)
.expect('Location', '%3Cla\'me%3E')
.expect(302, '<p>Found. Redirecting to <a href="%3Cla&#39;me%3E">%3Cla&#39;me%3E</a></p>', done)
.expect(302, '<p>Found. Redirecting to %3Cla&#39;me%3E</p>', done)
})

it('should not render evil javascript links in anchor href (prevent XSS)', function(done){
var app = express();
var xss = 'javascript:eval(document.body.innerHTML=`<p>XSS</p>`);';
var encodedXss = 'javascript:eval(document.body.innerHTML=%60%3Cp%3EXSS%3C/p%3E%60);';

app.use(function(req, res){
res.redirect(xss);
});

request(app)
.get('/')
.set('Host', 'http://example.com')
.set('Accept', 'text/html')
.expect('Content-Type', /html/)
.expect('Location', encodedXss)
.expect(302, '<p>Found. Redirecting to ' + encodedXss +'</p>', done);
});

it('should include the redirect type', function(done){
var app = express();

Expand All @@ -137,7 +155,7 @@ describe('res', function(){
.set('Accept', 'text/html')
.expect('Content-Type', /html/)
.expect('Location', 'http://google.com')
.expect(301, '<p>Moved Permanently. Redirecting to <a href="http://google.com">http://google.com</a></p>', done);
.expect(301, '<p>Moved Permanently. Redirecting to http://google.com</p>', done);
})
})

Expand Down

0 comments on commit 54271f6

Please # to comment.