fix: don't render redirect values in anchor href

ctcpip · UlisesGascon · UlisesGascon · commit 54271f69b511 · 2024-09-10T04:00:58.000+02:00
Co-authored-by: Ulises Gascón &lt;ulisesgascongonzalez@gmail.com&gt;
diff --git a/lib/response.js b/lib/response.js
@@ -969,7 +969,7 @@ res.redirect = function redirect(url) {
 
     html: function(){
       var u = escapeHtml(address);
-      body = '<p>' + statuses.message[status] + '. Redirecting to <a href="' + u + '">' + u + '</a></p>'
+      body = '<p>' + statuses.message[status] + '. Redirecting to ' + u + '</p>'
     },
 
     default: function(){
diff --git a/test/res.redirect.js b/test/res.redirect.js
@@ -106,7 +106,7 @@ describe('res', function(){
       .set('Accept', 'text/html')
       .expect('Content-Type', /html/)
       .expect('Location', 'http://google.com')
-      .expect(302, '<p>Found. Redirecting to <a href="http://google.com">http://google.com</a></p>', done)
+      .expect(302, '<p>Found. Redirecting to http://google.com</p>', done)
     })
 
     it('should escape the url', function(done){
@@ -122,9 +122,27 @@ describe('res', function(){
       .set('Accept', 'text/html')
       .expect('Content-Type', /html/)
       .expect('Location', '%3Cla\'me%3E')
-      .expect(302, '<p>Found. Redirecting to <a href="%3Cla&#39;me%3E">%3Cla&#39;me%3E</a></p>', done)
+      .expect(302, '<p>Found. Redirecting to %3Cla&#39;me%3E</p>', done)
     })
 
+    it('should not render evil javascript links in anchor href (prevent XSS)', function(done){
+      var app = express();
+      var xss = 'javascript:eval(document.body.innerHTML=`<p>XSS</p>`);';
+      var encodedXss = 'javascript:eval(document.body.innerHTML=%60%3Cp%3EXSS%3C/p%3E%60);';
+
+      app.use(function(req, res){
+        res.redirect(xss);
+      });
+
+      request(app)
+      .get('/')
+      .set('Host', 'http://example.com')
+      .set('Accept', 'text/html')
+      .expect('Content-Type', /html/)
+      .expect('Location', encodedXss)
+      .expect(302, '<p>Found. Redirecting to ' + encodedXss +'</p>', done);
+    });
+
     it('should include the redirect type', function(done){
       var app = express();
 
@@ -137,7 +155,7 @@ describe('res', function(){
       .set('Accept', 'text/html')
       .expect('Content-Type', /html/)
       .expect('Location', 'http://google.com')
-      .expect(301, '<p>Moved Permanently. Redirecting to <a href="http://google.com">http://google.com</a></p>', done);
+      .expect(301, '<p>Moved Permanently. Redirecting to http://google.com</p>', done);
     })
   })
 
